CVE-2017-1000168 – sodiumoxide

Package

Manager: cargo
Name: sodiumoxide
Vulnerable Version: >=0 <0.0.14

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00265 pctl0.49754

Details

scalarmult() vulnerable to degenerate public keys The scalarmult() function included in previous versions of this crate accepted all-zero public keys, for which the resulting Diffie-Hellman shared secret will always be zero regardless of the private key used. This issue was fixed by checking for this class of keys and rejecting them if they are used.

Metadata

Created: 2021-08-25T21:00:41Z
Modified: 2023-06-13T20:56:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-2wc6-2rcj-8v76/GHSA-2wc6-2rcj-8v76.json
CWE IDs: ["CWE-1240"]
Alternative ID: GHSA-2wc6-2rcj-8v76
Finding: F052
Auto approve: 1