CVE-2024-23342Observable Discrepancy in Python-ecdsa

CWE-203Observable DiscrepancyCWE-208Observable Timing DiscrepancyCWE-385Covert Timing Channel7 documents6 sources
Severity
7.4HIGHNVD
EPSS
0.6%
top 29.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Tlsfuzzer Python-ecdsaTlsfuzzer Ecdsa
Timeline
PublishedJan 23

Description

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

CVEListV5tlsfuzzer/python-ecdsa0.18.0
NVDtlsfuzzer/ecdsa0.18.0

🔴Vulnerability Details

4
OSV
CVE-2024-23342: The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature2024-01-23
GHSA
Minerva timing attack on P-256 in python-ecdsa2024-01-22
OSV
Minerva timing attack on P-256 in python-ecdsa2024-01-22
CVEList
python-ecdsa vulnerable to Minerva attack on P-2562024-01-22

📋Vendor Advisories

2
Red Hat
python-ecdsa: vulnerable to the Minerva attack2024-01-23
Debian
CVE-2024-23342: python-ecdsa - The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve ...2024
CVE-2024-23342 — Observable Discrepancy in Python-ecdsa | cvebase