Vulnerability Lookup

🛡️ CVE-2022-24884

🔴 CVSS 10.0 — Critical ✅ No Known Exploit CWE-347 NVD

10.0

CVSS Score

0 Low4 Medium7 High9 Critical10

Description

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.

Details

Severity CRITICAL

CVSS Score 10.0

CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE CWE-347

Public Exploit ✅ No

Source NVD

Published 2022-05-06

Updated 2026-06-08

Modified 2024-11-21

Fix URL https://github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b95ad70f6dbd08

Affected Packages

Software	From version	Fixed in
debian-linux	—	—
ecdsautils	—	0.4.1
fedora	—	—

References

Patch, Third Party Advisory https://github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b95ad70f6dbd08

Patch, Third Party Advisory https://github.com/freifunk-gluon/ecdsautils/commit/39b6d0a77414fd41614953a0e185c4eefa2f88ad

Third Party Advisory https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw

Mailing List, Third Party Advisory https://lists.debian.org/debian-lts-announce/2022/05/msg00007.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AKQH5WCBMJA3ODCSNERY6HVX4BX3ITG/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2JT57AAFIEL7JDO2ZBV25JKYME5NU54/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7UBR3M4U3LA46BHXYSH7EN5GDG44GK7/

Third Party Advisory https://www.debian.org/security/2022/dsa-5132

Patch, Third Party Advisory https://github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b95ad70f6dbd08

Patch, Third Party Advisory https://github.com/freifunk-gluon/ecdsautils/commit/39b6d0a77414fd41614953a0e185c4eefa2f88ad

Third Party Advisory https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw

Mailing List, Third Party Advisory https://lists.debian.org/debian-lts-announce/2022/05/msg00007.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4AKQH5WCBMJA3ODCSNERY6HVX4BX3ITG/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G2JT57AAFIEL7JDO2ZBV25JKYME5NU54/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7UBR3M4U3LA46BHXYSH7EN5GDG44GK7/

Third Party Advisory https://www.debian.org/security/2022/dsa-5132

🔗 NVD 🔗 Mitre ✅ Fix / Advisory

Similar Threats

Patch Gap Protection

Running software with known vulnerabilities?

BotEraser can help reduce exposure by blocking IPs associated with exploit activity — even before a patch is available.

Start Free →

No credit card required · Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.

Running software with known vulnerabilities?

Company

Resources

Services

Trusted

Subscribe