GHSA-3494-cfwf-56hw

Suggest an improvement
Source
https://github.com/advisories/GHSA-3494-cfwf-56hw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-3494-cfwf-56hw/GHSA-3494-cfwf-56hw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3494-cfwf-56hw
Aliases
Published
2024-04-28T00:30:22Z
Modified
2024-12-05T05:40:44.948728Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
mdanter/ecc affected by timing vulnerability in cryptographic side-channels
Details

phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. (This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library.)

Paragon Initiative Enterprises hard-forked phpecc/phpecc and discovered the issue in the original code, then released v2.0.1 which fixes the vulnerability. The upstream code is no longer maintained and remains vulnerable for all versions.

Database specific
{
    "nvd_published_at": "2024-04-27T22:15:08Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-10T21:49:12Z"
}
References

Affected packages

Packagist / paragonie/ecc

Package

Name
paragonie/ecc
Purl
pkg:composer/paragonie/ecc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.1

Affected versions

v2.*

v2.0.0

Packagist / mdanter/ecc

Package

Name
mdanter/ecc
Purl
pkg:composer/mdanter/ecc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.0.0

Affected versions

0.*

0.2.0

v0.*

v0.3.0
v0.3.1
v0.3.2
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.5.0
v0.5.1
v0.5.2

v1.*

v1.0.0