Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2023-0284

Good to know:

icon

Date: August 9, 2023

Blst versions v0.3.0 through 0.3.10 failed to perform a signature group-check if the call to SigValidate in the Go bindings was complemented with a check for infinity. Formally speaking, infinity, or the identity element of the elliptic curve group, is a member of the group, and the group-check should allow it. An initial review of blst users on GitHub did not uncover any use of this function with the complementary infinity check. This optional check was added as a convenience feature because despite infinity being a legitimate member of the group, individual signatures should never be infinite (as it is equivalent to having zero for the secret key), and observing one should raise a flag.

Language: Go

Severity Score

Related Resources (2)

https://github.com/supranational/blst/commit/fb91221c91c82f65bfc7f243256308977a06d48b
https://www.mend.io/vulnerability-database/WS-2023-0284

Severity Score

Weakness Type (CWE)

Improper Validation of Integrity Check Value

CWE-354

Top Fix

icon

Upgrade Version

Upgrade to version v0.3.11

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us