CVE-2019-14859

python-ecdsa: DER encoding is not being verified in signatures

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

Se encontró un fallo en todas las versiones de python-ecdsa anteriores a la versión 0.13.3, donde no se comprobaba correctamente si las firmas usaban codificación DER. Sin esta comprobación, se podría aceptar una firma malformada, haciendo que la firma sea maleable. Sin la comprobación apropiada, un atacante podría usar una firma maleable para crear transacciones falsas.

A flaw was found in python-ecdsa, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include XML injection, code execution, denial of service, information leakage, local file inclusion, man-in-the-middle, memory leak, open redirection, password leak, remote file inclusion, remote shell upload, and traversal vulnerabilities.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-08-10 CVE Reserved
2019-11-18 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-347: Improper Verification of Cryptographic Signature

CAPEC

References (6)

URL	Tag	Source
https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3	Release Notes
https://pypi.org/project/ecdsa/0.13.3	Release Notes

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859	2024-08-05
https://github.com/warner/python-ecdsa/issues/114	2024-08-05

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2019-14859	2021-11-16
https://bugzilla.redhat.com/show_bug.cgi?id=1760843	2021-11-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python-ecdsa Project Search vendor "Python-ecdsa Project"		Python-ecdsa Search vendor "Python-ecdsa Project" for product "Python-ecdsa"				< 0.13.3 Search vendor "Python-ecdsa Project" for product "Python-ecdsa" and version " < 0.13.3"		-		Affected
Redhat Search vendor "Redhat"		Ceph Storage Search vendor "Redhat" for product "Ceph Storage"				2.0 Search vendor "Redhat" for product "Ceph Storage" and version "2.0"		-		Affected
Redhat Search vendor "Redhat"		Ceph Storage Search vendor "Redhat" for product "Ceph Storage"				3.0 Search vendor "Redhat" for product "Ceph Storage" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				10 Search vendor "Redhat" for product "Openstack" and version "10"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				13 Search vendor "Redhat" for product "Openstack" and version "13"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				14 Search vendor "Redhat" for product "Openstack" and version "14"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				15 Search vendor "Redhat" for product "Openstack" and version "15"		-		Affected
Redhat Search vendor "Redhat"		Virtualization Search vendor "Redhat" for product "Virtualization"				4.0 Search vendor "Redhat" for product "Virtualization" and version "4.0"		-		Affected