9.1

CVE-2019-14859

Exploit
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Python-ecdsa ProjectPython-ecdsa Version < 0.13.3
RedhatCeph Storage Version2.0
RedhatCeph Storage Version3.0
RedhatOpenstack Version10
RedhatOpenstack Version13
RedhatOpenstack Version14
RedhatOpenstack Version15
RedhatVirtualization Version4.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.07% 0.203
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov 6.4 10 4.9
AV:N/AC:L/Au:N/C:P/I:P/A:N
secalert@redhat.com 7.4 2.2 5.2
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
Patch
Third Party Advisory
Exploit
Issue Tracking
https://pypi.org/project/ecdsa/0.13.3/
Third Party Advisory
Release Notes