RUSTSEC-2017-0001

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2017-0001

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2017-0001.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2017-0001

Aliases

CVE-2017-1000168
GHSA-2wc6-2rcj-8v76

Published

2017-01-26T12:00:00Z

Modified

2023-11-08T03:58:43.680103Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

scalarmult() vulnerable to degenerate public keys

Details

The scalarmult() function included in previous versions of this crate accepted all-zero public keys, for which the resulting Diffie-Hellman shared secret will always be zero regardless of the private key used.

This issue was fixed by checking for this class of keys and rejecting them if they are used.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / sodiumoxide

Package

Name: sodiumoxide; View open source insights on deps.dev
Purl: pkg:cargo/sodiumoxide

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.0.14

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
    "informational": null,
    "categories": []
}