RUSTSEC-2020-0156

Observable Discrepancy in libsecp256k1-rs

Reported

January 22, 2020

Issued

September 9, 2021 (last modified: September 10, 2021)

Package

libsecp256k1-rs (crates.io)

Type

Vulnerability

Categories

crypto-failure

Aliases

CVE-2019-20399
GHSA-7cqg-8449-rmfv

References

https://nvd.nist.gov/vuln/detail/CVE-2019-20399

CVSS Score

5.9 MEDIUM

CVSS Details

Attack vector: Network
Attack complexity: High
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: None

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Patched

>=0.3.1

Description

A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.

Advisory available under CC0-1.0 license.