Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices
Vulnerability Description
The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
RustCrypto signatures 数据伪造问题漏洞
Vulnerability Description
RustCrypto signatures是RustCrypto开源的一个数字签名算法集合。 RustCrypto signatures 0.0.4版本至0.1.0-rc.4之前版本存在数据伪造问题漏洞,该漏洞源于签名验证实现错误地接受重复提示索引,可能导致签名验证绕过。
CVSS Information
N/A
Vulnerability Type
N/A