CVE-2023-44273: Deserialization of Untrusted Data

September 28, 2023 (updated October 2, 2023)

Consensys gnark-crypto through 0.11.2 allows Signature Malleability. This occurs because deserialisation of EdDSA and ECDSA signatures does not ensure that the data is in a certain interval.

References

github.com/Consensys/gnark-crypto/pull/449
github.com/Consensys/gnark-crypto/releases
github.com/Consensys/gnark-crypto/releases/tag/v0.12.0
github.com/advisories/GHSA-9xfq-8j3r-xp5g
nvd.nist.gov/vuln/detail/CVE-2023-44273
verichains.io/

Code Behaviors & Features

Detect and mitigate CVE-2023-44273 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →