CVE-2019-14859
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
Published
2020-01-02T15:15:11.960
Last Modified
2024-11-21T04:27:30.923
Status
Modified
Source
[email protected]
Severity
CVSSv3.1: 9.1 (CRITICAL)
CVSSv2 Vector
AV:N/AC:L/Au:N/C:P/I:P/A:N
- Access Vector: NETWORK
- Access Complexity: LOW
- Authentication: NONE
- Confidentiality Impact: PARTIAL
- Integrity Impact: PARTIAL
- Availability Impact: NONE
Exploitability Score
10.0
Impact Score
4.9
Weaknesses
-
Type: Secondary
CWE-347
-
Type: Primary
CWE-347
Affected Vendors & Products
References
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
Exploit, Issue Tracking, Patch, Third Party Advisory
([email protected])
-
https://github.com/warner/python-ecdsa/issues/114
Exploit, Third Party Advisory
([email protected])
-
https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
Release Notes, Third Party Advisory
([email protected])
-
https://pypi.org/project/ecdsa/0.13.3/
Release Notes, Third Party Advisory
([email protected])
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
Exploit, Issue Tracking, Patch, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://github.com/warner/python-ecdsa/issues/114
Exploit, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
Release Notes, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://pypi.org/project/ecdsa/0.13.3/
Release Notes, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)