CVE-2024-23342

Description

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

CVSS Metrics

• v3.1•HIGH•Score: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.62%• Percentile: 70%

Techniques & Countermeasures

• CWE-203•Observable Discrepancy

  The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

• CWE-208•Observable Timing Discrepancy

  Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

• CWE-385•Covert Timing Channel

  Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

Affected Systems

• PyPI•ecdsa

  all

• tlsfuzzer•ecdsa

  ≤ 0.18.0

• tlsfuzzer•python-ecdsa

  ≤ 0.18.0

References (8)

• https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
• https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
• https://minerva.crocs.fi.muni.cz/
• https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
• https://nvd.nist.gov/vuln/detail/CVE-2024-23342
• https://github.com/tlsfuzzer/python-ecdsa
• https://minerva.crocs.fi.muni.cz
• https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python