CVE-2024-23342 - OpenCVE

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Rhui
Tlsfuzzer	Ecdsa

Configuration 1 [-]

cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*

Package	CPE	Advisory	Released Date
RHUI 4 for RHEL 8
python-ecdsa-0:0.18.0-4.el8ui	cpe:/a:redhat:rhui:4::el8	RHSA-2024:1878	2024-04-18T00:00:00Z

References

Link	Providers
https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
https://minerva.crocs.fi.muni.cz/
https://nvd.nist.gov/vuln/detail/CVE-2024-23342
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
https://www.cve.org/CVERecord?id=CVE-2024-23342

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-22T23:09:35.775Z

Updated: 2024-08-01T22:59:32.162Z

Reserved: 2024-01-15T15:19:19.444Z

Link: CVE-2024-23342

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-23T00:15:26.397

Modified: 2024-02-06T18:36:47.733

Link: CVE-2024-23342

Redhat

Severity : Moderate

Publid Date: 2024-01-23T00:00:00Z

Links: CVE-2024-23342 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23342", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.444Z", "datePublished": "2024-01-22T23:09:35.775Z", "dateUpdated": "2024-08-01T22:59:32.162Z"}, "containers": {"cna": {"title": "python-ecdsa vulnerable to Minerva attack on P-256", "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "lang": "en", "description": "CWE-203: Observable Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-385", "lang": "en", "description": "CWE-385: Covert Timing Channel", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"}, {"name": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md", "tags": ["x_refsource_MISC"], "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"}, {"name": "https://minerva.crocs.fi.muni.cz/", "tags": ["x_refsource_MISC"], "url": "https://minerva.crocs.fi.muni.cz/"}, {"name": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/", "tags": ["x_refsource_MISC"], "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}], "affected": [{"vendor": "tlsfuzzer", "product": "python-ecdsa", "versions": [{"version": "<= 0.18.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T23:09:35.775Z"}, "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists."}], "source": {"advisory": "GHSA-wj6h-64fc-37mp", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.162Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"}, {"name": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"}, {"name": "https://minerva.crocs.fi.muni.cz/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://minerva.crocs.fi.muni.cz/"}, {"name": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*", "matchCriteriaId": "32CDB19B-B6CA-4F1D-B5DC-9140D7EB7B3E", "versionEndIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists."}, {"lang": "es", "value": "El paquete PyPI `ecdsa` es una implementaci\u00f3n pura de Python de ECC (criptograf\u00eda de curva el\u00edptica) con soporte para ECDSA (algoritmo de firma digital de curva el\u00edptica), EdDSA (algoritmo de firma digital de curva Edwards) y ECDH (curva el\u00edptica Diffie-Hellman). Las versiones 0.18.0 y anteriores son vulnerables al ataque Minerva. Al momento de la publicaci\u00f3n, no existe ninguna versi\u00f3n parcheada conocida."}], "id": "CVE-2024-23342", "lastModified": "2024-02-06T18:36:47.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-23T00:15:26.397", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://minerva.crocs.fi.muni.cz/"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-208"}, {"lang": "en", "value": "CWE-385"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1878", "cpe": "cpe:/a:redhat:rhui:4::el8", "package": "python-ecdsa-0:0.18.0-4.el8ui", "product_name": "RHUI 4 for RHEL 8", "release_date": "2024-04-18T00:00:00Z"}], "bugzilla": {"description": "python-ecdsa: vulnerable to the Minerva attack", "id": "2259780", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259780"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "(CWE-203|CWE-208|CWE-385)", "details": ["The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.", "A flaw was found in the `ecdsa` PyPI package, a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior may be vulnerable to the Minerva attack."], "name": "CVE-2024-23342", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python-ecdsa", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python-ecdsa", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite-capsule:el8/python-ecdsa", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/python-ecdsa", "product_name": "Red Hat Satellite 6"}], "public_date": "2024-01-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-23342\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23342\nhttps://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md\nhttps://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp\nhttps://minerva.crocs.fi.muni.cz/\nhttps://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"], "threat_severity": "Moderate"}