CVE-2021-30130: Improper Certificate Validation in phpseclib
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.37152%
CWE
Published
4/7/2021
Updated
2/7/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
phpseclib/phpseclib | composer | >= 3.0.0, < 3.0.7 | 3.0.7 |
phpseclib/phpseclib | composer | < 2.0.31 | 2.0.31 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper PKCS#1 v1.5 signature verification. The GitHub PR #1635 shows fixes in RSA signature verification and ASN.1 handling. Release notes for patched versions specifically mention PKCS#1 v1.5 verification cleanup. The _rsassa_pkcs1_v1_5_verify method is directly responsible for signature validation, and verify() is the public method exposing this functionality. Commit messages reference fixes to ASN.1 decoding and strict signature validation, confirming these functions' involvement.