Vulnerability: Invalid Curve Attack in openCryptoki

Vulnerability: Invalid Curve Attack in openCryptoki

CVE-2021-3798 · MEDIUM Severity

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.

Learn more about our User Device Pen Test.