Improper Verification of Cryptographic Signature

CVE-2020-36843

Medium

4.3/10

Summary

The implementation of EdDSA in EdDSA-Java (aka ed25519-java) exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message. This issue affects net.i2p:i2p versions prior to 0.9.39 and net.i2p.crypto:eddsa.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-347 - Improper Verification of Cryptographic Signature

A cryptographic protocol is meant to ensure that services are provided in a secure manner. An application with absent or improper verification of cryptographic signatures allows malicious users to feed false messages to valid users or to disclose sensitive data, subverting the goals of the protocol. This can lead to security failures such as false authentication, account hijacking, and privilege escalation.

References

Advisory Timeline

Published Mar 13, 2025

Improper Verification of Cryptographic Signature

CVE-2020-36843

Summary

CWE-347 - Improper Verification of Cryptographic Signature

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS