An issue was discovered in IO FinNet tss-lib before 2.0.0. The parameter ssid for defining a session id is not used through the MPC implementation, which makes replaying and spoofing of messages easier. In particular, the Schnorr proof of knowledge implemented in sch.go does not utilize a session id, context, or random nonce in the generation of the challenge. This could allow a malicious user or an eavesdropper to replay a valid proof sent in the past.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2023-04-21T00:00:00
Updated: 2023-04-21T00:00:00
Reserved: 2022-12-22T00:00:00
Link: CVE-2022-47930
JSON object: View
NVD Information
Status : Modified
Published: 2023-04-21T18:15:07.377
Modified: 2023-11-07T03:56:26.160
Link: CVE-2022-47930
JSON object: View
Redhat Information
No data.
CWE