CVE-2019-14859

Published Jan 2, 2020

Last updated 4 years ago

CVSS critical 9.1

Overview

Description: A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
Source: secalert@redhat.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.1
Impact score: 5.2
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity: CRITICAL

CVSS 3.0

Type: Secondary
Base score: 7.4
Impact score: 5.2
Exploitability score: 2.2
Vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 6.4
Impact score: 4.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-347
secalert@redhat.com: CWE-347

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:python-ecdsa_project:python-ecdsa:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F7B0A174-35C3-4CBC-95FD-1359971CAE7E",
            "versionEndExcluding": "0.13.3"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:redhat:ceph_storage:2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D07DF15E-FE6B-4DAF-99BB-2147CF7D7EEA"
          },
          {
            "criteria": "cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "516F4E8E-ED2F-4282-9DAB-D8B378F61258"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA"
          },
          {
            "criteria": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "704CFA1A-953E-4105-BFBE-406034B83DED"
          },
          {
            "criteria": "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB7F358B-5E56-41AB-BB8A-23D3CB7A248B"
          },
          {
            "criteria": "cpe:2.3:a:redhat:openstack:15:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "70108B60-8817-40B4-8412-796A592E4E5E"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6BBD7A51-0590-4DDF-8249-5AFA8D645CB6"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References