CVE-2024-23342 — Vulnetix

CVE-2024-23342 PUBLISHED CVSS 7.400000095367432 HIGH

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

EPSS 0.62% · 70.5th percentile

Risk Scores

CVSS 3.1

7.400000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.62%

70.5th percentile

Affected Products

Vendor	Product	Versions
tlsfuzzer	ecdsa	0
tlsfuzzer	python-ecdsa	<= 0.18.0
PyPI	ecdsa	0

Exploit Intelligence

https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp (nist-nvd)
https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md (circl)
https://minerva.crocs.fi.muni.cz/ (circl)
https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ (circl)
unified_audit_runner.cpp (github-poc)
unified_audit_runner.cpp (github-poc)
unified_audit_runner.cpp (github-poc)
unified_audit_runner.cpp (github-poc)
unified_audit_runner.cpp (github-poc)
unified_audit_runner.cpp (github-poc)

…and 18 more exploits

Timeline

Jan 21, 1970 Security Advisory
Jan 22, 2024 CVE Published
Jan 24, 2024 EPSS Score
Feb 21, 2024 EPSS Score
Mar 20, 2024 EPSS Score
Apr 16, 2024 EPSS Score
May 14, 2024 EPSS Score
Jun 11, 2024 EPSS Score
Jul 9, 2024 EPSS Score
Aug 6, 2024 EPSS Score
Sep 30, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score

References

Open in Interactive Console →