Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ3YzYtMnJjai04djc2

scalarmult() vulnerable to degenerate public keys

The scalarmult() function included in previous versions of this crate accepted all-zero public keys, for which the resulting Diffie-Hellman shared secret will always be zero regardless of the private key used.

This issue was fixed by checking for this class of keys and rejecting them if they are used.

Permalink: https://github.com/advisories/GHSA-2wc6-2rcj-8v76
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJ3YzYtMnJjai04djc2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: 12 months ago


CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Identifiers: GHSA-2wc6-2rcj-8v76, CVE-2017-1000168
References: Repository: https://github.com/dnaq/sodiumoxide
Blast Radius: 19.0

Affected Packages

cargo:sodiumoxide
Dependent packages: 170
Dependent repositories: 824
Downloads: 2,966,329 total
Affected Version Ranges: < 0.0.14
Fixed in: 0.0.14
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13
All unaffected versions: 0.0.14, 0.0.15, 0.0.16, 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7