CVE-2024-23342

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.
Configurations

Configuration 1 (hide)

cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*

History

06 Feb 2024, 18:36

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.4
First Time Tlsfuzzer ecdsa
Tlsfuzzer
CPE cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*
References () https://minerva.crocs.fi.muni.cz/ - () https://minerva.crocs.fi.muni.cz/ - Technical Description
References () https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md - () https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md - Product
References () https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ - () https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ - Technical Description
References () https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp - () https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp - Exploit, Vendor Advisory

23 Jan 2024, 00:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-23 00:15

Updated : 2024-02-28 20:54


NVD link : CVE-2024-23342

Mitre link : CVE-2024-23342

CVE.ORG link : CVE-2024-23342


JSON object : View

Products Affected

tlsfuzzer

  • ecdsa
CWE
CWE-203

Observable Discrepancy

CWE-208

Observable Timing Discrepancy

CWE-385

Covert Timing Channel