CVE-2024-23342 python-ecdsa vulnerable to Minerva attack on P-256

2024-01-2223:09:35

CWE-208

CWE-385

CWE-203

GitHub_M

www.cve.org

cve-2024-23342

pypi package

elliptic curve cryptography

ecdsa

eddsa

ecdh

minerva attack

vulnerable

no patch available

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

33.0%

JSON

The ecdsa PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

CNA Affected

[
  {
    "vendor": "tlsfuzzer",
    "product": "python-ecdsa",
    "versions": [
      {
        "version": "<= 0.18.0",
        "status": "affected"
      }
    ]
  }
]