[GHSA-q9hv-hpm4-hj6x] CIRCL has an incorrect calculation in secp384r1 CombinedMult#7173
Conversation
|
Hi there @mschwarzl! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
yusuke-koyoshi/advisory-improvement-7173
There was a problem hiding this comment.
Pull request overview
Updates the GHSA advisory metadata to reflect an updated CVSS v4 vector and severity for the CIRCL secp384r1 CombinedMult calculation issue.
Changes:
- Updated the advisory
modifiedtimestamp. - Updated the CVSS v4 vector in
severity[].score. - Raised overall advisory severity from
LOWtoMODERATE.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber" | ||
| "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" | ||
| } |
Updates
Comments
Current vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:AmberScore: 2.9 (LOW)Proposed vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/U:AmberScore: 6.3 (MEDIUM)Removal of E:P (Exploit Maturity): Threat Metrics are intended to reflect the current threat landscape and require continuous updates. As GHSA does not maintain an ongoing update process for Threat Metrics, including a static E:P value artificially suppresses the score and may mislead consumers. Since Threat Metrics can only lower the Base score, an outdated value is more harmful than omitting it.
VA:L → VA:N: The advisory does not describe any availability impact. The incorrect calculation in CombinedMult does not cause a denial-of-service condition, so VA:L is not justified.
SC/SI/SA:L → SC/SI/SA:N: The advisory explicitly states "ECDH and ECDSA signing relying on this curve are not affected." There is no demonstrated impact on subsequent systems, making SC/SI/SA:N the appropriate value.
The "Suggest improvements" form on GitHub does not support input of Supplemental Metrics. However, the current advisory includes
S:N/AU:Y/U:Amber, and since Supplemental Metrics have no effect on the CVSS score, we recommend retaining these values as-is when applying the proposed changes. The intended final vector, including Supplemental Metrics, is:CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/U:Amber