CVE-2019-14859
python-ecdsa: DER encoding is not being verified in signatures
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
Se encontró un fallo en todas las versiones de python-ecdsa anteriores a la versión 0.13.3, donde no se comprobaba correctamente si las firmas usaban codificación DER. Sin esta comprobación, se podría aceptar una firma malformada, haciendo que la firma sea maleable. Sin la comprobación apropiada, un atacante podría usar una firma maleable para crear transacciones falsas.
A flaw was found in python-ecdsa, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-10 CVE Reserved
- 2019-11-18 CVE Published
- 2023-09-19 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-347: Improper Verification of Cryptographic Signature
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3 | Release Notes | |
| https://pypi.org/project/ecdsa/0.13.3 | Release Notes |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859 | 2024-08-05 | |
| https://github.com/warner/python-ecdsa/issues/114 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2019-14859 | 2021-11-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1760843 | 2021-11-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Python-ecdsa Project Search vendor "Python-ecdsa Project" | Python-ecdsa Search vendor "Python-ecdsa Project" for product "Python-ecdsa" | < 0.13.3 Search vendor "Python-ecdsa Project" for product "Python-ecdsa" and version " < 0.13.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Search vendor "Redhat" for product "Ceph Storage" | 2.0 Search vendor "Redhat" for product "Ceph Storage" and version "2.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Search vendor "Redhat" for product "Ceph Storage" | 3.0 Search vendor "Redhat" for product "Ceph Storage" and version "3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 10 Search vendor "Redhat" for product "Openstack" and version "10" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 13 Search vendor "Redhat" for product "Openstack" and version "13" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 14 Search vendor "Redhat" for product "Openstack" and version "14" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 15 Search vendor "Redhat" for product "Openstack" and version "15" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Virtualization Search vendor "Redhat" for product "Virtualization" | 4.0 Search vendor "Redhat" for product "Virtualization" and version "4.0" | - |
Affected
| ||||||