Lucene search
+L

495 matches found

OSV
OSV
added 2024/04/25 6:31 p.m.16 views

GHSA-346H-749J-R28W PHPECC vulnerable to multiple cryptographic side-channel attacks

ECDSA Canonicalization PHPECC is vulnerable to malleable ECDSA signature attacks. Constant-Time Signer When generating a new ECDSA signature, the GMPMath adapter was used. This class wraps the GNU Multiple Precision arithmetic library GMP, which does not aim to provide constant-time implementatio...

9.1CVSS6.5AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2024/04/25 6:31 p.m.28 views

PHPECC vulnerable to multiple cryptographic side-channel attacks

ECDSA Canonicalization PHPECC is vulnerable to malleable ECDSA signature attacks. Constant-Time Signer When generating a new ECDSA signature, the GMPMath adapter was used. This class wraps the GNU Multiple Precision arithmetic library GMP, which does not aim to provide constant-time implementatio...

6.5AI score
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2024/04/25 12:0 a.m.5 views

PT-2024-40040 · Gnu · Gmp

Name of the Vulnerable Software and Affected Versions: PHPECC affected versions not specified Description: The issue concerns malleable ECDSA signature attacks. When generating new ECDSA signatures, the use of the GMPMath adapter, which wraps the GNU Multiple Precision arithmetic library GMP,...

9.1CVSS6.8AI score
Exploits0References4
Friends Of PHP
Friends Of PHP
added 2024/04/24 12:2 p.m.37 views

mdanter/ecc affected by timing vulnerability in cryptographic side-channels

phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library. Paragon Initiative Enterprises hard-forked...

4.3CVSS4.5AI score0.00408EPSS
Exploits0Affected Software1
OSV
OSV
added 2024/03/06 10:57 a.m.27 views

BIT-GOLANG-2023-24532 Incorrect calculation on P256 curves in crypto/internal/nistec

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh...

5.3CVSS7.3AI score0.0081EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2024/01/25 4:49 p.m.49 views

Moderate: Red Hat Security Advisory: openssl security update

An update for openssl is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

7.5CVSS6.7AI score0.03332EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2024/01/24 9:49 a.m.196 views

CVE-2024-23342

A flaw was found in the ecdsa PyPI package, a pure Python implementation of ECC Elliptic Curve Cryptography with support for ECDSA Elliptic Curve Digital Signature Algorithm, EdDSA Edwards-curve Digital Signature Algorithm and ECDH Elliptic Curve Diffie-Hellman. Versions 0.18.0 and prior may be...

7.4CVSS6.8AI score0.00977EPSS
Exploits1References7
NVD
NVD
added 2024/01/23 12:15 a.m.76 views

CVE-2024-23342

The ecdsa PyPI package is a pure Python implementation of ECC Elliptic Curve Cryptography with support for ECDSA Elliptic Curve Digital Signature Algorithm, EdDSA Edwards-curve Digital Signature Algorithm and ECDH Elliptic Curve Diffie-Hellman. Versions 0.18.0 and prior are vulnerable to the...

7.4CVSS7.4AI score0.00977EPSS
Exploits1References4
Prion
Prion
added 2024/01/23 12:15 a.m.22 views

Code injection

The ecdsa PyPI package is a pure Python implementation of ECC Elliptic Curve Cryptography with support for ECDSA Elliptic Curve Digital Signature Algorithm, EdDSA Edwards-curve Digital Signature Algorithm and ECDH Elliptic Curve Diffie-Hellman. Versions 0.18.0 and prior are vulnerable to the...

4CVSS7AI score0.00977EPSS
Exploits1References4Affected Software1
UbuntuCve
UbuntuCve
added 2024/01/23 12:0 a.m.36 views

CVE-2024-23342

The ecdsa PyPI package is a pure Python implementation of ECC Elliptic Curve Cryptography with support for ECDSA Elliptic Curve Digital Signature Algorithm, EdDSA Edwards-curve Digital Signature Algorithm and ECDH Elliptic Curve Diffie-Hellman. Versions 0.18.0 and prior are vulnerable to the...

7.4CVSS7.1AI score0.00977EPSS
Exploits1References5
Cvelist
Cvelist
added 2024/01/22 11:9 p.m.77 views

CVE-2024-23342 python-ecdsa vulnerable to Minerva attack on P-256

The ecdsa PyPI package is a pure Python implementation of ECC Elliptic Curve Cryptography with support for ECDSA Elliptic Curve Digital Signature Algorithm, EdDSA Edwards-curve Digital Signature Algorithm and ECDH Elliptic Curve Diffie-Hellman. Versions 0.18.0 and prior are vulnerable to the...

7.4CVSS7.6AI score0.00977EPSS
Exploits1References4
CVE
CVE
added 2024/01/22 11:9 p.m.164 views

CVE-2024-23342

The CVE-2024-23342 entry concerns the python-ecdsa package (pure-Python ECC implementation) with support for ECDSA/EdDSA/ECDH. Versions 0.18.0 and earlier are vulnerable to the Minerva attack. The available connected documents confirm that the vulnerability is tied to this package and note the ab...

7.4CVSS7.2AI score0.00977EPSS
Exploits1References4Affected Software1
AlpineLinux
AlpineLinux
added 2024/01/22 11:9 p.m.72 views

CVE-2024-23342

The ecdsa PyPI package is a pure Python implementation of ECC Elliptic Curve Cryptography with support for ECDSA Elliptic Curve Digital Signature Algorithm, EdDSA Edwards-curve Digital Signature Algorithm and ECDH Elliptic Curve Diffie-Hellman. Versions 0.18.0 and prior are vulnerable to the...

7.4CVSS7.3AI score0.00977EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2024/01/22 9:35 p.m.116 views

Minerva timing attack on P-256 in python-ecdsa

python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the ecdsa.SigningKey.signdigest API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH...

7.4CVSS6.8AI score0.00977EPSS
Exploits1References6Affected Software1
Oracle linux
Oracle linux
added 2024/01/22 12:0 a.m.60 views

openssl security update

1:3.0.7-25.0.1 - Replace upstream references Orabug: 34340177 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted Resolves: RHEL-5317 - Don't limit using SHA1 in KDFs in non-FIPS mode. Resolves: RHEL-5295 - Provide empty evpproperties section in main OpenSSL configuration fi...

7.5CVSS6.8AI score0.05533EPSS
Exploits0
OSV
OSV
added 2023/12/11 3:30 p.m.22 views

GO-2023-2380 Private key recovery via invalid curve point in github.com/ecies/go/v2

An attacker may be able to recover private keys due to a bug in the ECDH function. The library does not check whether the provided public key is on the curve, which means that an attacker can create a public key that is not on the curve and use it to recover the private key. A workaround is to...

4.9CVSS4.8AI score0.00335EPSS
Exploits1References3
OSV
OSV
added 2023/12/05 11:30 p.m.20 views

GHSA-8J98-CJFR-QX3H github.com/ecies/go vulnerable to possible private key restoration

Impact If functions Encapsulate, Decapsulate and ECDH could be called by an attacker, he could recover any private key that he interacts with. Patches Patched in v2.0.8 Workarounds You could manually check public key by calling IsOnCurve function from secp256k1 libraries. References...

8.1CVSS4.9AI score0.00335EPSS
Exploits1References6
Prion
Prion
added 2023/12/05 12:15 a.m.14 views

Code injection

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. If funcations Encapsulate, Decapsulate and ECDH could be called by an attacker, they could recover any private key that interacts with it. This vulnerability was patched in 2.0.8. Users are advised to upgrade...

4CVSS6.9AI score0.00335EPSS
Exploits1References4Affected Software1
Tenable Nessus
Tenable Nessus
added 2023/11/15 12:0 a.m.32 views

Rockwell Automation Stratix Anonymous ECDH Denial of Service (CVE-2014-3470)

Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service DoS condition, or perform a man-in-the-middle attack. This plugin only works with...

4.3CVSS7.5AI score0.85784EPSS
Exploits0References4
OSV
OSV
added 2023/09/14 5:10 p.m.27 views

GHSA-79RC-JJH6-RC89 PocketMine-MP server crash due to incorrect EC curve used for LoginPacket identityPublicKey

Impact The server uses ECDH to calculate a shared secret for the symmetric encryption key used to encrypt network packets after logging in. ECDH requires that the keys used must both belong to the same elliptic curve. In Minecraft: Bedrock Edition, the curve used is secp384r1. Using any other cur...

7.5CVSS7.2AI score
Exploits0References3
Rows per page
Query Builder