CVE-2024-23342

CVSS V2 None CVSS V3 None

Description

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

Overview

CVE ID
CVE-2024-23342

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-01-22T23:09:35.775Z

Last Modified Date
2024-01-22T23:09:35.775Z

Weakness Enumerations

CWE	URL
CWE-203	http://cwe.mitre.org/data/definitions/203.html
CWE-208	http://cwe.mitre.org/data/definitions/208.html
CWE-385	http://cwe.mitre.org/data/definitions/385.html

References

Reference URL	Reference Tags
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp	x_refsource_CONFIRM
https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md	x_refsource_MISC
https://minerva.crocs.fi.muni.cz/	x_refsource_MISC
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-23342
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23342

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 06:46:49				Added to TrackCVE