Failure to properly verify ed25519 signatures in libp2p-core · CVE-2019-15545 · GitHub Advisory Database · GitHub

Failure to properly verify ed25519 signatures in libp2p-core

High severity GitHub Reviewed Published Aug 25, 2021 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

libp2p-core (Rust)

Affected versions

< 0.8.1

Patched versions

0.8.1

Description

Affected versions of this crate did not properly verify ed25519 signatures. Any signature with a correct length was considered valid. This allows an attacker to impersonate any node identity.

References

Reviewed Aug 19, 2021

Published to the GitHub Advisory Database Aug 25, 2021

Last updated Jun 13, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N