7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
33.0%
ecdsa is vulnerable to Minerva Attack. The vulnerability is due to timing discrepancies within the ecdsa.SigningKey.sign_digest
function, which allows attackers to deduce the private key by analyzing the time taken to generate ECDSA signatures with varying nonce sizes. The maintainers will not provide a fix, and replied to the disclosure with > As stated in the security policy side-channel vulnerabilities are outside the scope of the project. Not because we don’t want side-channel secure implementation, but because the main goal of the project is to be pure python and implementing side-channel free code in pure python is impossible. > As such, we don’t plan to release a fix to this vulnerability.
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
33.0%