{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-24532", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2023-01-25T21:19:20.641Z", "datePublished": "2023-03-08T19:40:45.425Z", "dateUpdated": "2024-08-02T10:56:04.340Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:07:52.290Z"}, "title": "Incorrect calculation on P256 curves in crypto/internal/nistec", "descriptions": [{"lang": "en", "value": "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh."}], "affected": [{"vendor": "Go standard library", "product": "crypto/internal/nistec", "collectionURL": "https://pkg.go.dev", "packageName": "crypto/internal/nistec", "versions": [{"version": "0", "lessThan": "1.19.7", "status": "affected", "versionType": "semver"}, {"version": "1.20.0-0", "lessThan": "1.20.2", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "P256Point.ScalarBaseMult"}, {"name": "P256Point.ScalarMult"}, {"name": "P256OrdInverse"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-682: Incorrect Calculation"}]}], "references": [{"url": "https://go.dev/issue/58647"}, {"url": "https://go.dev/cl/471255"}, {"url": "https://groups.google.com/g/golang-announce/c/3-TpUx48iQY"}, {"url": "https://pkg.go.dev/vuln/GO-2023-1621"}], "credits": [{"lang": "en", "value": "Guido Vranken, via the Ethereum Foundation bug bounty program"}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20230331-0011/"}, {"url": "https://go.dev/issue/58647", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/471255", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/3-TpUx48iQY", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2023-1621", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:56:04.340Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-01T15:58:31.679478Z", "id": "CVE-2023-24532", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T15:58:40.921Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20230331-0011/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-07-31T20:15:44.256Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-24532", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-01T15:58:31.679478Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T15:58:37.530Z"}}], "cna": {"title": "Incorrect calculation on P256 curves in crypto/internal/nistec", "credits": [{"lang": "en", "value": "Guido Vranken, via the Ethereum Foundation bug bounty program"}], "affected": [{"vendor": "Go standard library", "product": "crypto/internal/nistec", "versions": [{"status": "affected", "version": "0", "lessThan": "1.19.7", "versionType": "semver"}, {"status": "affected", "version": "1.20.0-0", "lessThan": "1.20.2", "versionType": "semver"}], "packageName": "crypto/internal/nistec", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "P256Point.ScalarBaseMult"}, {"name": "P256Point.ScalarMult"}, {"name": "P256OrdInverse"}]}], "references": [{"url": "https://go.dev/issue/58647"}, {"url": "https://go.dev/cl/471255"}, {"url": "https://groups.google.com/g/golang-announce/c/3-TpUx48iQY"}, {"url": "https://pkg.go.dev/vuln/GO-2023-1621"}], "descriptions": [{"lang": "en", "value": "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-682: Incorrect Calculation"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:07:52.290Z"}}}, "cveMetadata": {"cveId": "CVE-2023-24532", "state": "PUBLISHED", "dateUpdated": "2024-08-01T15:58:40.921Z", "dateReserved": "2023-01-25T21:19:20.641Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2023-03-08T19:40:45.425Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "15520F70-C473-425F-8B9F-FAD4804D32E8", "versionEndExcluding": "1.19.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFE15B38-D5B0-4231-BB31-228BAF815F72", "versionEndExcluding": "1.20.2", "versionStartIncluding": "1.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh."}], "id": "CVE-2023-24532", "lastModified": "2023-11-07T04:08:30.867", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-08T20:15:09.413", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/471255"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Patch"], "url": "https://go.dev/issue/58647"}, {"source": "security@golang.org", "tags": ["Mailing List", "Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/3-TpUx48iQY"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-1621"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-682"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4627", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-hub-rhel9:6.2.0-16", "product_name": "MTA-6.2-RHEL-9", "release_date": "2023-08-14T00:00:00Z"}, {"advisory": "RHSA-2023:5314", "cpe": "cpe:/a:redhat:openshift_api_data_protection:1.1::el8", "package": "oadp/oadp-velero-rhel8:1.1.6-7", "product_name": "OADP-1.1-RHEL-8", "release_date": "2023-09-20T00:00:00Z"}, {"advisory": "RHSA-2023:4657", "cpe": "cpe:/a:redhat:openshift_secondary_scheduler:1.1::el8", "package": "openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8:v1.1-30", "product_name": "OSSO-1.1-RHEL-8", "release_date": "2023-08-23T00:00:00Z"}, {"advisory": "RHSA-2023:3319", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8080020230517172404.6b4b45d8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-25T00:00:00Z"}, {"advisory": "RHSA-2023:3318", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "golang-0:1.19.9-2.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-25T00:00:00Z"}, {"advisory": "RHSA-2023:4892", "cpe": "cpe:/a:redhat:rhmt:1.7::el8", "package": "rhmtc/openshift-velero-plugin-rhel8:v1.7.12-1", "product_name": "Red Hat Migration Toolkit for Containers 1.7", "release_date": "2023-08-31T00:00:00Z"}, {"advisory": "RHSA-2023:5935", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-agent:1.3.0-10", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5935", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-downloader:1.3.0-11", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5935", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-operator:1.3.0-9", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:5935", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-operator-bundle:1.3.0-19", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2023-10-19T00:00:00Z"}, {"advisory": "RHSA-2024:1383", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package": "odf4/cephcsi-rhel9:v4.15.0-37", "product_name": "RHODF-4.15-RHEL-9", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2023:5947", "cpe": "cpe:/a:redhat:run_once_duration_override_operator:1.0::el8", "package": "run-once-duration-override-operator/run-once-duration-override-rhel8:v1.0-30", "product_name": "RODOO-1.0-RHEL-8", "release_date": "2023-10-26T00:00:00Z"}, {"advisory": "RHSA-2023:5976", "cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "package": "stf/prometheus-webhook-snmp-rhel8:1.5.2-8", "product_name": "STF-1.5-RHEL-8", "release_date": "2023-10-20T00:00:00Z"}, {"advisory": "RHSA-2023:5976", "cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "package": "stf/service-telemetry-operator-bundle:1.5.1697612918-1", "product_name": "STF-1.5-RHEL-8", "release_date": "2023-10-20T00:00:00Z"}, {"advisory": "RHSA-2023:5976", "cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "package": "stf/service-telemetry-rhel8-operator:1.5.1-8", "product_name": "STF-1.5-RHEL-8", "release_date": "2023-10-20T00:00:00Z"}, {"advisory": "RHSA-2023:5976", "cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "package": "stf/sg-bridge-rhel8:1.5.0-18", "product_name": "STF-1.5-RHEL-8", "release_date": "2023-10-20T00:00:00Z"}, {"advisory": "RHSA-2023:5976", "cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "package": "stf/sg-core-rhel8:5.1.1-8", "product_name": "STF-1.5-RHEL-8", "release_date": "2023-10-20T00:00:00Z"}, {"advisory": "RHSA-2023:5976", "cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "package": "stf/smart-gateway-operator-bundle:5.0.1697612918-1", "product_name": "STF-1.5-RHEL-8", "release_date": "2023-10-20T00:00:00Z"}, {"advisory": "RHSA-2023:5976", "cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "package": "stf/smart-gateway-rhel8-operator:5.0.1-9", "product_name": "STF-1.5-RHEL-8", "release_date": "2023-10-20T00:00:00Z"}], "bugzilla": {"description": "golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results", "id": "2223355", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2223355"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-682", "details": ["The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.", "A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh."], "name": "CVE-2023-24532", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Not affected", "package_name": "cryostat-20-tech-preview/cryostat-rhel8-operator", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-loki-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-rhv-populator-rhel8", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:network_observ_optr:1", "fix_state": "Affected", "package_name": "network-observability/network-observability-rhel8-operator", "product_name": "Network Observability Operator"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-operator-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/volsync-mover-rclone-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Will not fix", "package_name": "integration-service-registry-operator-container", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Affected", "package_name": "go-toolset-1.19-golang", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Will not fix", "package_name": "rhods/odh-mm-rest-proxy-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Affected", "package_name": "devspaces/udi-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "openstack-baremetal-image-downloader-container", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "go-toolset-7-golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:webterminal:1", "fix_state": "Affected", "package_name": "web-terminal-operator-container", "product_name": "Red Hat Web Terminal"}], "public_date": "2023-03-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-24532\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-24532\nhttps://go.dev/cl/471255\nhttps://go.dev/issue/58647\nhttps://groups.google.com/g/golang-announce/c/3-TpUx48iQY\nhttps://pkg.go.dev/vuln/GO-2023-1621"], "threat_severity": "Moderate", "upstream_fix": "Go 1.20.2 and Go 1.19.7"}