CVE-2024-23342

Exploit

EPSS 0.99%
Veröffentlicht 23.01.2024 00:15:26
Zuletzt bearbeitet 26.08.2025 21:33:47
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

python-ecdsa vulnerable to Minerva attack on P-256

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tlsfuzzer ≫ Ecdsa SwPlatformpython Version <= 0.18.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.99%	0.578

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CWE-385 Covert Timing Channel

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

https://minerva.crocs.fi.muni.cz/

Technical Description

https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/

Technical Description

https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md

Product

https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-23342

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-23342

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-23342

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-23342