GHSA-8j98-cjfr-qx3h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8j98-cjfr-qx3h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-8j98-cjfr-qx3h/GHSA-8j98-cjfr-qx3h.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8j98-cjfr-qx3h
- Aliases
- Related
- Published
- 2023-12-05T23:30:56Z
- Modified
- 2023-12-11T15:58:19.251706Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- github.com/ecies/go vulnerable to possible private key restoration
- Details
-
Impact
If functions
Encapsulate(),Decapsulate()andECDH()could be called by an attacker, he could recover any private key that he interacts with.Patches
Patched in v2.0.8
Workarounds
You could manually check public key by calling
IsOnCurve()function from secp256k1 libraries.References
https://github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/Attack-Invalid-Curve-Point/README.md
- Database specific
{ "nvd_published_at": "2023-12-05T00:15:09Z", "cwe_ids": [ "CWE-200" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-12-05T23:30:56Z" }- References
-
- https://github.com/ecies/go/security/advisories/GHSA-8j98-cjfr-qx3h
- https://nvd.nist.gov/vuln/detail/CVE-2023-49292
- https://github.com/ecies/go/commit/c6e775163866d6ea5233eb8ec8530a9122101ebd
- https://github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/Attack-Invalid-Curve-Point/README.md
- https://github.com/ecies/go
- https://github.com/ecies/go/releases/tag/v2.0.8
Affected packages
Go / github.com/ecies/go/v2
Package
- Name
- github.com/ecies/go/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/ecies/go/v2