Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zNDk0LWNmd2YtNTZod84AA7Wr

mdanter/ecc affected by timing vulnerability in cryptographic side-channels

phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. (This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library.)

Paragon Initiative Enterprises hard-forked phpecc/phpecc and discovered the issue in the original code, then released v2.0.1 which fixes the vulnerability. The upstream code is no longer maintained and remains vulnerable for all versions.

Permalink: https://github.com/advisories/GHSA-3494-cfwf-56hw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNDk0LWNmd2YtNTZod84AA7Wr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 24 days ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-3494-cfwf-56hw, CVE-2024-33851
References:

Repository: https://github.com/paragonie/phpecc
Blast Radius: 11.7

Affected Packages

packagist:mdanter/ecc

Dependent packages: 110
Dependent repositories: 539
Downloads: 5,176,589 total
Affected Version Ranges: <= 1.0.0
No known fixed version
All affected versions: 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.5.0, 0.5.1, 0.5.2, 1.0.0

packagist:paragonie/ecc

Dependent packages: 1
Dependent repositories: 0
Downloads: 121,153 total
Affected Version Ranges: >= 0, < 2.0.1
Fixed in: 2.0.1
All affected versions: 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.5.0, 0.5.1, 0.5.2, 1.0.0, 2.0.0
All unaffected versions: 2.0.1, 2.1.0, 2.2.0, 2.3.0