GHSA-2wc6-2rcj-8v76

Source

https://github.com/advisories/GHSA-2wc6-2rcj-8v76

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-2wc6-2rcj-8v76/GHSA-2wc6-2rcj-8v76.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2wc6-2rcj-8v76

Aliases

CVE-2017-1000168
RUSTSEC-2017-0001

Published

2021-08-25T21:00:41Z

Modified

2023-11-08T03:58:43.680103Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

scalarmult() vulnerable to degenerate public keys

Details

The scalarmult() function included in previous versions of this crate accepted all-zero public keys, for which the resulting Diffie-Hellman shared secret will always be zero regardless of the private key used.

This issue was fixed by checking for this class of keys and rejecting them if they are used.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-1240"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-05T21:10:47Z"
}

References

Affected packages

crates.io / sodiumoxide

Package

Name: sodiumoxide; View open source insights on deps.dev
Purl: pkg:cargo/sodiumoxide

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.14