CVE-2023-46324

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-46324

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46324.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-46324

Aliases

GHSA-cqvv-r3g3-26rf

Published

2023-10-23T01:15:07Z

Modified

2025-07-01T15:12:23.807432Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its private key and the attacker's public key.

References

Affected packages

Git / github.com/free5gc/udm

Affected ranges

Type: GIT
Repo: https://github.com/free5gc/udm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f9aad0efdd62e0599c9451620263954c11d4e6ef

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1