CVE-2023-49292 — Sensitive Information Exposure in Ecies GO V2

CWE-200 — Sensitive Information Exposure5 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.2%

top 59.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

7

Github.com Ecies GO V2 Ecies GO Msrc Azl3 Golang 1.23.9-1 ON Azure Linux 3.0 +4 more

Timeline

PublishedDec 5

Latest updateDec 12

Description

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. If funcations Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, they could recover any private key that interacts with it. This vulnerability was patched in 2.0.8. Users are advised to upgrade.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages7 packages

▶NVDecies/go< 2.0.8

▶Gogithub.com/ecies_go_v2< 2.0.8

▶msrcmsrc/azl3_golang_1.23.9-1_on_azure_linux_3.0

▶msrcmsrc/azl3_golang_1.24.3-1_on_azure_linux_3.0

▶msrcmsrc/cbl2_golang_1.18.8-7_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

3

OSV

Private key recovery via invalid curve point in github.com/ecies/go/v2↗2023-12-11

▶

OSV

github.com/ecies/go vulnerable to possible private key restoration↗2023-12-05

▶

GHSA

github.com/ecies/go vulnerable to possible private key restoration↗2023-12-05

▶

📋Vendor Advisories

1

Microsoft

Possible private key restoration in go package github.com/ecies/go↗2023-12-12

▶

CVE-2023-49292 — Sensitive Information Exposure | cvebase