Vulnerability Description
Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes to use public r and s values when guessing whether signature verification will fail.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| P5-Crypt-Perl Project | P5-Crypt-Perl | < 0.32 |
Related Weaknesses (CWE)
References
- https://github.com/FGasper/p5-Crypt-Perl/commit/f960ce75502acf7404187231a706672fPatchThird Party Advisory
- https://github.com/FGasper/p5-Crypt-Perl/issues/14Third Party Advisory
- https://github.com/FGasper/p5-Crypt-Perl/commit/f960ce75502acf7404187231a706672fPatchThird Party Advisory
- https://github.com/FGasper/p5-Crypt-Perl/issues/14Third Party Advisory
FAQ
What is CVE-2020-13895?
CVE-2020-13895 is a vulnerability with a CVSS score of 8.8 (HIGH). Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve ...
How severe is CVE-2020-13895?
CVE-2020-13895 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13895?
Check the references section above for vendor advisories and patch information. Affected products include: P5-Crypt-Perl Project P5-Crypt-Perl.