Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Trivial signature forgery in ecdsautils
Vulnerability Description
ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
ECDSA Util 数据伪造问题漏洞
Vulnerability Description
ECDSA Util是一个用于 ECDSA 的小程序集合。 ECDSA Util 0.4.1之前版本存在安全漏洞,该漏洞源于ecdsa_verify_[prepare_]legacy()不检查签名值r和s是否非零。
CVSS Information
N/A
Vulnerability Type
N/A