// For flags

CVE-2019-14859

python-ecdsa: DER encoding is not being verified in signatures

Severity Score

9.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

Se encontró un fallo en todas las versiones de python-ecdsa anteriores a la versión 0.13.3, donde no se comprobaba correctamente si las firmas usaban codificación DER. Sin esta comprobación, se podría aceptar una firma malformada, haciendo que la firma sea maleable. Sin la comprobación apropiada, un atacante podría usar una firma maleable para crear transacciones falsas.

A flaw was found in python-ecdsa, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-08-10 CVE Reserved
  • 2019-11-18 CVE Published
  • 2023-09-19 EPSS Updated
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-347: Improper Verification of Cryptographic Signature
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Python-ecdsa Project
Search vendor "Python-ecdsa Project"
Python-ecdsa
Search vendor "Python-ecdsa Project" for product "Python-ecdsa"
< 0.13.3
Search vendor "Python-ecdsa Project" for product "Python-ecdsa" and version " < 0.13.3"
-
Affected
Redhat
Search vendor "Redhat"
Ceph Storage
Search vendor "Redhat" for product "Ceph Storage"
2.0
Search vendor "Redhat" for product "Ceph Storage" and version "2.0"
-
Affected
Redhat
Search vendor "Redhat"
Ceph Storage
Search vendor "Redhat" for product "Ceph Storage"
3.0
Search vendor "Redhat" for product "Ceph Storage" and version "3.0"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
10
Search vendor "Redhat" for product "Openstack" and version "10"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
13
Search vendor "Redhat" for product "Openstack" and version "13"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
14
Search vendor "Redhat" for product "Openstack" and version "14"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
15
Search vendor "Redhat" for product "Openstack" and version "15"
-
Affected
Redhat
Search vendor "Redhat"
Virtualization
Search vendor "Redhat" for product "Virtualization"
4.0
Search vendor "Redhat" for product "Virtualization" and version "4.0"
-
Affected