CVE-2022-23001 - Vulnerability Details

Vendors	Products
Westerndigital	Sweet B

Source	ID	Title
EUVD	EUVD-2022-28112	When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.

Link	Providers
https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities

{"containers": {"cna": {"affected": [{"product": "Sweet B Library", "vendor": "Western Digital", "versions": [{"lessThan": "v2", "status": "affected", "version": "Sweet B Library", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-682", "description": "CWE-682 Incorrect Calculation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-29T18:51:26", "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", "shortName": "WDC PSIRT"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities"}], "solutions": [{"lang": "en", "value": "The vulnerability was addressed by correcting the choice of sign bit in the affected routines. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b"}], "source": {"discovery": "INTERNAL"}, "title": "Sweet-B Library: Point compress/decompress using the wrong bit for sign", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@wdc.com", "ID": "CVE-2022-23001", "STATE": "PUBLIC", "TITLE": "Sweet-B Library: Point compress/decompress using the wrong bit for sign"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Sweet B Library", "version": {"version_data": [{"version_affected": "<", "version_name": "Sweet B Library", "version_value": "v2"}]}}]}, "vendor_name": "Western Digital"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-682 Incorrect Calculation"}]}]}, "references": {"reference_data": [{"name": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities", "refsource": "MISC", "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities"}]}, "solution": [{"lang": "en", "value": "The vulnerability was addressed by correcting the choice of sign bit in the affected routines. To get the latest version of the Sweet B library, update your local repository from https://github.com/westerndigitalcorporation/sweet-b"}], "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:28:42.996Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities"}]}]}, "cveMetadata": {"assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a", "assignerShortName": "WDC PSIRT", "cveId": "CVE-2022-23001", "datePublished": "2022-07-29T18:51:26", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2024-08-03T03:28:42.996Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:westerndigital:sweet_b:1:*:*:*:*:*:*:*", "matchCriteriaId": "BD0868BB-4143-41EC-9A15-C16C98EF851C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components."}, {"lang": "es", "value": "Cuando son comprimidos o descomprimidos puntos de curvas el\u00edpticas usando la biblioteca Sweet B, es usada una elecci\u00f3n incorrecta del bit de signo. Un atacante con privilegios de nivel de usuario y sin ayuda de otros usuarios puede explotar esta vulnerabilidad con s\u00f3lo conocer la clave p\u00fablica y la biblioteca. La salida resultante puede causar un error cuando es usada en otras operaciones; por ejemplo, la verificaci\u00f3n de una firma v\u00e1lida bajo una clave p\u00fablica descomprimida puede fallar. Esto puede ser aprovechado por un atacante para causar un escenario de error en las aplicaciones que usan la biblioteca, resultando en una denegaci\u00f3n de servicio limitada para un usuario individual. El alcance del impacto no puede extenderse a otros componentes"}], "id": "CVE-2022-23001", "lastModified": "2024-11-21T06:47:46.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@wdc.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-29T19:15:08.123", "references": [{"source": "psirt@wdc.com", "tags": ["Product", "Vendor Advisory"], "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Vendor Advisory"], "url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities"}], "sourceIdentifier": "psirt@wdc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-682"}], "source": "psirt@wdc.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-682"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object