Vulnerability Details CVE-2024-23342
The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 69.1%
CVSS Severity
CVSS v3 Score 7.4
References
- https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
- https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
- https://minerva.crocs.fi.muni.cz/
- https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
- https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
- https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
- https://minerva.crocs.fi.muni.cz/
- https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
Products affected by CVE-2024-23342
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.10
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.11
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.12
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.13
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.13.1
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.13.2
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.13.3
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.14
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.14.1
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.15
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.16.0
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.16.1
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.17.0
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.5
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.6
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.7
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.8
-
cpe:2.3:a:tlsfuzzer:ecdsa:0.9
-
cpe:2.3:a:tlsfuzzer:ecdsa:1.8.0