Severity
9.8CRITICAL
EPSS
1.2%
top 21.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 23
Latest updateMay 14
Description
The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages5 packages
Also affects: Ubuntu Linux 14.04, 15.10
Patches
🔴Vulnerability Details
4📋Vendor Advisories
4💬Community
5Bugzilla▶
CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 mingw-nettle: nettle:various elliptic curve calculation flaws [fedora-all]↗2016-02-03
Bugzilla▶
CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 compat-nettle27: nettle:various elliptic curve calculation flaws [fedora-23]↗2016-02-03
Bugzilla▶
CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 nettle:various elliptic curve calculation flaws [fedora-all]↗2016-02-03
Bugzilla▶
CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 mingw-nettle: nettle:various elliptic curve calculation flaws [epel-7]↗2016-02-03