CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
20.4%
If functions Encapsulate()
, Decapsulate()
and ECDH()
could be called by an attacker, he could recover any private key that he interacts with.
Patched in v2.0.8
You could manually check public key by calling IsOnCurve()
function from secp256k1 libraries.
github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/Attack-Invalid-Curve-Point/README.md
github.com/ecies/go
github.com/ecies/go/commit/c6e775163866d6ea5233eb8ec8530a9122101ebd
github.com/ecies/go/releases/tag/v2.0.8
github.com/ecies/go/security/advisories/GHSA-8j98-cjfr-qx3h
nvd.nist.gov/vuln/detail/CVE-2023-49292
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
20.4%