Homepage
About Snyk

Timing Attack Affecting ecdsa package, versions [0,]

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.08% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-ECDSA-6184115
  • published 23 Jan 2024
  • disclosed 22 Jan 2024
  • credit Hubert Kario
Report a new vulnerability Found a mistake?

Introduced: 22 Jan 2024

CVE-2024-23342 Open this link in a new tab
CWE-208 Open this link in a new tab

How to fix?

There is no fixed version for ecdsa.

Overview

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Timing Attack via the sign_digest API function. An attacker can leak the internal nonce which may allow for private key discovery by timing signatures.

Notes:

  1. This library was not designed with security in mind. If you are processing data that needs to be protected we suggest you use a quality wrapper around OpenSSL. pyca/cryptography is one example of such a wrapper

  2. That means both ECDSA signatures, key generation and ECDH operations are affected. ECDSA signature verification is unaffected.

  3. The maintainers don't plan to release a fix to this vulnerability.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.4 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

7.4 high
Expand this section

Red Hat

7.4 high