CVE-2019-14859

CWE-34712 documents8 sources
Severity
9.1CRITICAL
EPSS
0.1%
top 79.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Python-ecdsa Project Python-ecdsaRED HAT Python-ecdsaRedhat Ceph Storage+2 more
Timeline
PublishedJan 2
Latest updateApr 1

Description

A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages8 packages

Debianpython-ecdsa< 0.13.3-1+3
Ubuntupython-ecdsa< 0.13-2ubuntu0.16.04.1+1
CVEListV5red_hat/python-ecdsaall python-ecdsa versions before 0.13.3
PyPIecdsa< 0.13.3

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

5
OSV
Improper Verification of Cryptographic Signature in Pure-Python ECDSA2020-04-01
GHSA
Improper Verification of Cryptographic Signature in Pure-Python ECDSA2020-04-01
OSV
CVE-2019-14859: A flaw was found in all python-ecdsa versions before 02020-01-02
CVEList
CVE-2019-14859: A flaw was found in all python-ecdsa versions before 02020-01-02
OSV
python-ecdsa vulnerabilities2019-11-18

📋Vendor Advisories

3
Ubuntu
python-ecdsa vulnerabilities2019-11-18
Red Hat
python-ecdsa: DER encoding is not being verified in signatures2019-09-25
Debian
CVE-2019-14859: python-ecdsa - A flaw was found in all python-ecdsa versions before 0.13.3, where it did not co...2019

💬Community

3
Bugzilla
CVE-2019-14859 python-ecdsa: DER encoding is not being verified in signatures [epel-all]2019-10-11
Bugzilla
CVE-2019-14859 python-ecdsa: DER encoding is not being veryfied in signatures [fedora-all]2019-10-11
Bugzilla
CVE-2019-14859 python-ecdsa: DER encoding is not being verified in signatures2019-10-11
CVE-2019-14859 (CRITICAL CVSS 9.1) | A flaw was found in all python-ecds | cvebase.io