Vulnerability CVE-2024-23342
Published: 2024-01-23

Description:
The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

Type:

CWE-203

 (Information Exposure Through Discrepancy)

 References:
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
https://minerva.crocs.fi.muni.cz/
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
Copyright 2024, cxsecurity.com

 

Back to Top