AZL-37392

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-37392.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-37392

Upstream

CVE-2023-49292

Published

2023-12-05T00:15:09Z

Modified

2026-04-01T05:12:29.716062Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

CVE-2023-49292 affecting package golang for versions less than 1.21.6-1

Details

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. If funcations Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, they could recover any private key that interacts with it. This vulnerability was patched in 2.0.8. Users are advised to upgrade.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-49292

Affected packages

Azure Linux:2 / golang

Package

Name: golang
Purl: pkg:rpm/azure-linux/golang

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.18.0

Fixed

1.21.6-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-37392.json"