Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0yeDVqLXZoYzgtOWN3bc4ABI56

Low
Permalink JSON

CIRCL-Fourq: Missing and wrong validation can lead to incorrect results

Affected Packages Affected Versions Fixed Versions
go:github.com/cloudflare/circl < 1.6.1 1.6.1
6,861 Dependent packages
2,787 Dependent repositories

Affected Version Ranges

All affected versions

1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.4.0, 1.5.0, 1.6.0

All unaffected versions

1.6.1

Impact

The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security.

Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve.

Patches

Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues.

We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.

References:

Identifiers

GHSA-2x5j-vhc8-9cwm

Risk

Severity

Low

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/cloudflare/circl

Date and time

Published

about 2 months ago

Updated

about 2 months ago

API

JSON