CVE-2024-23342

2024-01-2300:15:26

CWE-385

CWE-203

CWE-208

GitHub_M

web.nvd.nist.gov

ecdsa

pypi

ecc

ecdsa

eddsa

ecdh

minerva attack

vulnerability

nvd

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

32.8%

JSON

The ecdsa PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

Affected configurations

Nvd

Vulners

Node

tlsfuzzerecdsaRange≤1.8.0python

VendorProductVersionCPE
tlsfuzzerecdsa*cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
tlsfuzzer	ecdsa	*	cpe:2.3:a:tlsfuzzer:ecdsa::::::python::*

CNA Affected

[
  {
    "vendor": "tlsfuzzer",
    "product": "python-ecdsa",
    "versions": [
      {
        "version": "<= 0.18.0",
        "status": "affected"
      }
    ]
  }
]