QwikSec

Security Database

CVE

CWE

Training

CVE-2019-14859

Published: Jan 2, 2020

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

7.4

HIGH

Description

A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

Vendor	Product	Versions
Red Hat	python-ecdsa	affected `all python-ecdsa versions before 0.13.3`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859

x_refsource_CONFIRM

https://pypi.org/project/ecdsa/0.13.3/

x_refsource_MISC

https://github.com/warner/python-ecdsa/issues/114

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.