Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04ajk4LWNqZnItcXgzaM4AA3lC
github.com/ecies/go vulnerable to possible private key restoration
Impact
If functions Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, he could recover any private key that he interacts with.
Patches
Patched in v2.0.8
Workarounds
You could manually check public key by calling IsOnCurve() function from secp256k1 libraries.
References
Permalink: https://github.com/advisories/GHSA-8j98-cjfr-qx3hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04ajk4LWNqZnItcXgzaM4AA3lC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 months ago
Updated: 12 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-8j98-cjfr-qx3h, CVE-2023-49292
References:
- https://github.com/ecies/go/security/advisories/GHSA-8j98-cjfr-qx3h
- https://nvd.nist.gov/vuln/detail/CVE-2023-49292
- https://github.com/ecies/go/commit/c6e775163866d6ea5233eb8ec8530a9122101ebd
- https://github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/Attack-Invalid-Curve-Point/README.md
- https://github.com/ecies/go/releases/tag/v2.0.8
- https://github.com/advisories/GHSA-8j98-cjfr-qx3h
Blast Radius: 8.1
Affected Packages
go:github.com/ecies/go/v2
Dependent packages: 65Dependent repositories: 10
Downloads:
Affected Version Ranges: < 2.0.8
Fixed in: 2.0.8
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7
All unaffected versions: 2.0.8, 2.0.9