Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ3YzYtMnJjai04djc2
scalarmult() vulnerable to degenerate public keys
The scalarmult() function included in previous versions of this crate accepted all-zero public keys, for which the resulting Diffie-Hellman shared secret will always be zero regardless of the private key used.
This issue was fixed by checking for this class of keys and rejecting them if they are used.
Permalink: https://github.com/advisories/GHSA-2wc6-2rcj-8v76JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ3YzYtMnJjai04djc2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-2wc6-2rcj-8v76, CVE-2017-1000168
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000168
- https://github.com/dnaq/sodiumoxide/issues/154
- https://github.com/sodiumoxide/sodiumoxide/commit/24c7a5550807ac8a09648b5878f19d14c3a69135
- https://rustsec.org/advisories/RUSTSEC-2017-0001.html
- https://github.com/advisories/GHSA-2wc6-2rcj-8v76
Blast Radius: 19.0
Affected Packages
cargo:sodiumoxide
Dependent packages: 167Dependent repositories: 824
Downloads: 2,864,934 total
Affected Version Ranges: < 0.0.14
Fixed in: 0.0.14
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13
All unaffected versions: 0.0.14, 0.0.15, 0.0.16, 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7