CVE-2023-24532 — Incorrect Calculation in Standard Library Crypto Internal Nistec

CWE-682 — Incorrect Calculation8 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 92.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Crypto Internal Nistec Golang GO

Timeline

PublishedMar 8

Latest updateMar 14

Description

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5go_standard_library/crypto_internal_nistec1.20.0-0 — 1.20.2+1

▶NVDgolang/go1.20.0 — 1.20.2+1

Patches

Patch: go.dev ↗Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

OSV

Incorrect calculation on P256 curves in crypto/internal/nistec↗2023-03-08

▶

CVEList

Incorrect calculation on P256 curves in crypto/internal/nistec↗2023-03-08

▶

OSV

CVE-2023-24532: The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar la↗2023-03-08

▶

GHSA

GHSA-x2w5-7wp4-5qff: The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar la↗2023-03-08

▶

📋Vendor Advisories

Microsoft

Incorrect calculation on P256 curves in crypto/internal/nistec↗2023-03-14

▶

Red Hat

golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results↗2023-03-08

▶

Debian

CVE-2023-24532: golang-1.15 - The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorr...↗2023

▶