CVE-2024-23342 - OpenCVE

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Tlsfuzzer	Ecdsa

Configuration 1 [-]

cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*

References

Link	Resource
https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md	Product
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp	Exploit Vendor Advisory
https://minerva.crocs.fi.muni.cz/	Technical Description
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/	Technical Description

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-22T23:09:35.775Z

Updated: 2024-01-22T23:09:35.775Z

Reserved: 2024-01-15T15:19:19.444Z

Link: CVE-2024-23342

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-23T00:15:26.397

Modified: 2024-02-06T18:36:47.733

Link: CVE-2024-23342

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-23342", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.444Z", "datePublished": "2024-01-22T23:09:35.775Z", "dateUpdated": "2024-01-22T23:09:35.775Z"}, "containers": {"cna": {"title": "python-ecdsa vulnerable to Minerva attack on P-256", "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "lang": "en", "description": "CWE-203: Observable Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-385", "lang": "en", "description": "CWE-385: Covert Timing Channel", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"}, {"name": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md", "tags": ["x_refsource_MISC"], "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"}, {"name": "https://minerva.crocs.fi.muni.cz/", "tags": ["x_refsource_MISC"], "url": "https://minerva.crocs.fi.muni.cz/"}, {"name": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/", "tags": ["x_refsource_MISC"], "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}], "affected": [{"vendor": "tlsfuzzer", "product": "python-ecdsa", "versions": [{"version": "<= 0.18.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T23:09:35.775Z"}, "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists."}], "source": {"advisory": "GHSA-wj6h-64fc-37mp", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*", "matchCriteriaId": "32CDB19B-B6CA-4F1D-B5DC-9140D7EB7B3E", "versionEndIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists."}, {"lang": "es", "value": "El paquete PyPI `ecdsa` es una implementaci\u00f3n pura de Python de ECC (criptograf\u00eda de curva el\u00edptica) con soporte para ECDSA (algoritmo de firma digital de curva el\u00edptica), EdDSA (algoritmo de firma digital de curva Edwards) y ECDH (curva el\u00edptica Diffie-Hellman). Las versiones 0.18.0 y anteriores son vulnerables al ataque Minerva. Al momento de la publicaci\u00f3n, no existe ninguna versi\u00f3n parcheada conocida."}], "id": "CVE-2024-23342", "lastModified": "2024-02-06T18:36:47.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-23T00:15:26.397", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://minerva.crocs.fi.muni.cz/"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-208"}, {"lang": "en", "value": "CWE-385"}], "source": "security-advisories@github.com", "type": "Primary"}]}