CVE-2021-20305: Use of a Broken or Risky Cryptographic Algorithm

April 5, 2021 (updated November 9, 2023)

A flaw was found in Nettle, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

References

bugzilla.redhat.com/show_bug.cgi?id=1942533
nvd.nist.gov/vuln/detail/CVE-2021-20305

Code Behaviors & Features

Detect and mitigate CVE-2021-20305 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →