5.3
CVE-2024-23688
- EPSS 0.49%
- Veröffentlicht 19.01.2024 22:15:08
- Zuletzt bearbeitet 29.11.2025 03:15:57
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
LoginConsensys Discovery Nonce Reuse
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.381 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-323 Reusing a Nonce, Key Pair in Encryption
Nonces should be used for the present occasion and only once.
CWE-330 Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
https://github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83g
https://github.com/advisories/GHSA-w3hj-wr2q-x83g
https://vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83g