GitHub Advisory DatabaseGHSA-8J98-CJFR-QX3Hgithub.com/ecies/go vulnerable to possible private key restoration
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.6%
Impact
If functions Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, he could recover any private key that he interacts with.
Patches
Patched in v2.0.8
Workarounds
You could manually check public key by calling IsOnCurve() function from secp256k1 libraries.
References
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/ecies/go/v2 | lt | 2.0.8 |
References
github.com/advisories/GHSA-8j98-cjfr-qx3h
github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/Attack-Invalid-Curve-Point/README.md
github.com/ecies/go/commit/c6e775163866d6ea5233eb8ec8530a9122101ebd
github.com/ecies/go/releases/tag/v2.0.8
github.com/ecies/go/security/advisories/GHSA-8j98-cjfr-qx3h
nvd.nist.gov/vuln/detail/CVE-2023-49292
Related
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.6%