CVE-2015-9258

{"id": "CVE-2015-9258", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-03-31T21:29:00.250", "references": [{"url": "https://docs.docker.com/notary/changelog/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/theupdateframework/notary/blob/master/docs/resources/ncc_docker_notary_audit_2015_07_31.pdf", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "In Docker Notary before 0.1, gotuf/signed/verify.go has a Signature Algorithm Not Matched to Key vulnerability. Because an attacker controls the field specifying the signature algorithm, they might (for example) be able to forge a signature by forcing a misinterpretation of an RSA-PSS key as Ed25519 elliptic-curve data."}, {"lang": "es", "value": "En Docker Notary en versiones anteriores a la 0.1, gotuf/signed/verify.go tiene una vulnerabilidad de algoritmo de firma que no coincide con la clave. Dado que un atacante controla el campo que especifica el algoritmo de la firma, podr\u00eda (por ejemplo) forjar una firma al forzar que se malinterprete una clave RSA-PSS como datos Ed25519 de curva el\u00edptica."}], "lastModified": "2018-05-01T13:21:54.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:docker:notary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73F8D468-F648-4D87-AD52-AFA1AABC9A8E", "versionEndExcluding": "0.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}