CVE-2024-23342

ADVISORY - github

Summary

python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the ecdsa.SigningKey.sign_digest() API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.

EPSS Score⁠: 0.00622 (0.701)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-203⁠

Observable Discrepancy

CWE-208⁠

Observable Timing Discrepancy

CWE-385⁠

Covert Timing Channel

ADVISORY - github

CWE-203⁠

Observable Discrepancy

CWE-208⁠

Observable Timing Discrepancy

CWE-385⁠

Covert Timing Channel

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-203⁠

Observable Discrepancy

CWE-208⁠

Observable Timing Discrepancy

CWE-385⁠

Covert Timing Channel

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

(CWE-203|CWE-208|CWE-385)⁠

Impacted images

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.