Lucene search

OpenJS FoundationFRIENDSOFPHP:DANTER:ECC:CVE-2024-33851

HistoryApr 24, 2024 - 12:02 p.m.

mdanter/ecc affected by timing vulnerability in cryptographic side-channels

2024-04-2412:02:00

OpenJS Foundation

github.com

phpecc

cryptographic side-channels

ecdsa

constanttimemath

php 8.4

security fixes

malleable ecdsa signatures

double-spend attacks

constant-time signer

ecdh timing leaks

ieee-p1363 signature format

migration guide

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

Description phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. (This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library.) Paragon Initiative Enterprises hard-forked phpecc/phpecc and discovered the issue in the original code, then released v2.0.1 which fixes the vulnerability. The upstream code is no longer maintained and remains vulnerable for all versions. References https://nvd.nist.gov/vuln/detail/CVE-2024-33851 https://github.com/paragonie/phpecc/releases/tag/v2.0.1 phpecc/phpecc#289 https://github.com/FriendsOfPHP/security-advisories/blob/master/mdanter/ecc/CVE-2024-33851.yaml https://github.com/paragonie/phpecc/releases/tag/v2.0.0

Affected configurations

Vulners

Node

mdantereccRange<2.0.0

CPENameOperatorVersion
mdanter/ecclt2.0.0

CPE	Name	Operator	Version
	mdanter/ecc	lt	2.0.0