CVE-2024-21502 — HIGH (7.5)

Q: How severe is CVE-2024-21502?

CVE-2024-21502 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-21502?

Check the references section above for vendor advisories and patch information. Affected products include: Antonkueltz Fastecdsa.

Vulnerability Description

Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Antonkueltz	Fastecdsa	< 2.3.2

Related Weaknesses (CWE)

CWE-908 CWE-457

References

https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26ExploitThird Party Advisory
https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210Broken Link
https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac645Patch
https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045ExploitThird Party Advisory
https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26ExploitThird Party Advisory
https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210Broken Link
https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac645Patch
https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045ExploitThird Party Advisory

FAQ

What is CVE-2024-21502?

CVE-2024-21502 is a vulnerability with a CVSS score of 7.5 (HIGH). Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as use...

How severe is CVE-2024-21502?

CVE-2024-21502 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-21502?

Check the references section above for vendor advisories and patch information. Affected products include: Antonkueltz Fastecdsa.