Vulnerability Description
A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nettle Project | Nettle | < 3.7.2 |
| Fedoraproject | Fedora | 33 |
| Redhat | Enterprise Linux | 7.0 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Ontap Select Deploy Administration Utility | - |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1942533Issue TrackingPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/09/msg00008.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202105-31Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211022-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-4933Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1942533Issue TrackingPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/09/msg00008.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202105-31Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211022-0002/Third Party Advisory
- https://www.debian.org/security/2021/dsa-4933Third Party Advisory
FAQ
What is CVE-2021-20305?
CVE-2021-20305 is a vulnerability with a CVSS score of 8.1 (HIGH). A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply func...
How severe is CVE-2021-20305?
CVE-2021-20305 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-20305?
Check the references section above for vendor advisories and patch information. Affected products include: Nettle Project Nettle, Fedoraproject Fedora, Redhat Enterprise Linux, Netapp Active Iq Unified Manager, Netapp Ontap Select Deploy Administration Utility.