Lucene search

[email protected]CVE-2024-23688

HistoryJan 19, 2024 - 10:15 p.m.

CVE-2024-23688

2024-01-1922:15:08

CWE-323

CWE-330

[email protected]

web.nvd.nist.gov

consensys

discovery

aes

gcm

nonce

security

vulnerability

nvd

cve-2024-23688

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.8%

JSON

Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node’s private key isn’t compromised, only the session key generated for specific peer communication is exposed.

Affected configurations

NVD

Node

consensysdiscoveryRange<0.4.5

CPENameOperatorVersion
consensys:discoveryconsensys discoverylt0.4.5

CPE	Name	Operator	Version
consensys:discovery	consensys discovery	lt	0.4.5

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "tech.pegasys.discovery:discovery",
    "versions": [
      {
        "lessThan": "0.4.5",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]

References

github.com/advisories/GHSA-w3hj-wr2q-x83g

github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83g

vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83g

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.8%

JSON

Related for CVE-2024-23688

nvd1 osv2 prion1 cvelist1