PT-2021-3125 · Nettle+9 · Nettle+9
Cedric Buissart
·
Published
2021-03-16
·
Updated
2026-03-10
·
CVE-2021-20305
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nettle versions prior to 3.7.2
Description
A flaw was found in the Nettle signature verification functions, including GOST DSA, EDDSA, and ECDSA, where the Elliptic Curve Cryptography point multiply function is called with out-of-range scalers, possibly resulting in incorrect results. This allows an attacker to force an invalid signature, causing an assertion failure or possible validation issues. The highest threat to this vulnerability is to confidentiality, integrity, and system availability. An attacker may exploit this vulnerability by inputting an invalid signature, potentially allowing them to execute arbitrary code.
Recommendations
For versions prior to 3.7.2, update to version 3.7.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable signature verification functions until a patch is available. Avoid using the
GOST DSA, EDDSA, and ECDSA functions in sensitive operations until the issue is resolved.Fix
Use of a Broken Cryptographic Algorithm
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Centos
Linuxmint
Nettle
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu