Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jcXZ2LXIzZzMtMjZyZs4AA2nX

free5GC udm vulnerable to Invalid Curve Attack

pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its private key and the attacker's public key.

Permalink: https://github.com/advisories/GHSA-cqvv-r3g3-26rf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcXZ2LXIzZzMtMjZyZs4AA2nX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 11 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00125
EPSS Percentile: 0.48552

Identifiers: GHSA-cqvv-r3g3-26rf, CVE-2023-46324
References: Repository: https://github.com/free5gc/udm
Blast Radius: 7.2

Affected Packages

go:github.com/free5gc/udm
Dependent packages: 0
Dependent repositories: 9
Downloads:
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1
All unaffected versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0