Lucene search

OpenJS FoundationFRIENDSOFPHP:PARAGONIE:ECC:CVE-2024-33851

HistoryApr 24, 2024 - 12:02 p.m.

mdanter/ecc affected by timing vulnerability in cryptographic side-channels

2024-04-2412:02:00

OpenJS Foundation

github.com

mdanter/ecc

paragonie/ecc

timing vulnerability

cryptographic side-channels

composer package

github

code

branch-based leak

point addition

paragon initiative enterprises

hard-forked

upstream code

vulnerability

nvd

cve-2024-33851

security advisory

software

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Description phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. (This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library.) Paragon Initiative Enterprises hard-forked phpecc/phpecc and discovered the issue in the original code, then released v2.0.1 which fixes the vulnerability. The upstream code is no longer maintained and remains vulnerable for all versions. References https://nvd.nist.gov/vuln/detail/CVE-2024-33851 https://github.com/paragonie/phpecc/releases/tag/v2.0.1 phpecc/phpecc#289 https://github.com/FriendsOfPHP/security-advisories/blob/master/mdanter/ecc/CVE-2024-33851.yaml https://github.com/paragonie/phpecc/releases/tag/v2.0.0

Affected configurations

Vulners

Node

paragonieeccRange<2.0.1

CPENameOperatorVersion
paragonie/ecclt2.0.1

CPE	Name	Operator	Version
	paragonie/ecc	lt	2.0.1