{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23342", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.444Z", "datePublished": "2024-01-22T23:09:35.775Z", "dateUpdated": "2025-05-30T14:21:45.651Z"}, "containers": {"cna": {"title": "python-ecdsa vulnerable to Minerva attack on P-256", "problemTypes": [{"descriptions": [{"cweId": "CWE-203", "lang": "en", "description": "CWE-203: Observable Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-385", "lang": "en", "description": "CWE-385: Covert Timing Channel", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"}, {"name": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md", "tags": ["x_refsource_MISC"], "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"}, {"name": "https://minerva.crocs.fi.muni.cz/", "tags": ["x_refsource_MISC"], "url": "https://minerva.crocs.fi.muni.cz/"}, {"name": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/", "tags": ["x_refsource_MISC"], "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}], "affected": [{"vendor": "tlsfuzzer", "product": "python-ecdsa", "versions": [{"version": "<= 0.18.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T23:09:35.775Z"}, "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists."}], "source": {"advisory": "GHSA-wj6h-64fc-37mp", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.162Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"}, {"name": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"}, {"name": "https://minerva.crocs.fi.muni.cz/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://minerva.crocs.fi.muni.cz/"}, {"name": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T15:35:54.804068Z", "id": "CVE-2024-23342", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T14:21:45.651Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", "name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md", "name": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://minerva.crocs.fi.muni.cz/", "name": "https://minerva.crocs.fi.muni.cz/", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/", "name": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.162Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23342", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-08T15:35:54.804068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T15:35:56.438Z"}}], "cna": {"title": "python-ecdsa vulnerable to Minerva attack on P-256", "source": {"advisory": "GHSA-wj6h-64fc-37mp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "tlsfuzzer", "product": "python-ecdsa", "versions": [{"status": "affected", "version": "<= 0.18.0"}]}], "references": [{"url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", "name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md", "name": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md", "tags": ["x_refsource_MISC"]}, {"url": "https://minerva.crocs.fi.muni.cz/", "name": "https://minerva.crocs.fi.muni.cz/", "tags": ["x_refsource_MISC"]}, {"url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/", "name": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-203", "description": "CWE-203: Observable Discrepancy"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-385", "description": "CWE-385: Covert Timing Channel"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T23:09:35.775Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23342", "state": "PUBLISHED", "dateUpdated": "2025-05-30T14:21:45.651Z", "dateReserved": "2024-01-15T15:19:19.444Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-22T23:09:35.775Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*", "matchCriteriaId": "32CDB19B-B6CA-4F1D-B5DC-9140D7EB7B3E", "versionEndIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists."}, {"lang": "es", "value": "El paquete PyPI `ecdsa` es una implementaci\u00f3n pura de Python de ECC (criptograf\u00eda de curva el\u00edptica) con soporte para ECDSA (algoritmo de firma digital de curva el\u00edptica), EdDSA (algoritmo de firma digital de curva Edwards) y ECDH (curva el\u00edptica Diffie-Hellman). Las versiones 0.18.0 y anteriores son vulnerables al ataque Minerva. Al momento de la publicaci\u00f3n, no existe ninguna versi\u00f3n parcheada conocida."}], "id": "CVE-2024-23342", "lastModified": "2024-11-21T08:57:32.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-23T00:15:26.397", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://minerva.crocs.fi.muni.cz/"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://minerva.crocs.fi.muni.cz/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-208"}, {"lang": "en", "value": "CWE-385"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10806", "cpe": "cpe:/a:redhat:satellite:6.15::el8", "package": "python-pulp-container-0:2.16.9-2.el8pc", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10806", "cpe": "cpe:/a:redhat:satellite_capsule:6.15::el8", "package": "python-pulp-container-0:2.16.9-2.el8pc", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:1878", "cpe": "cpe:/a:redhat:rhui:4::el8", "package": "python-ecdsa-0:0.18.0-4.el8ui", "product_name": "RHUI 4 for RHEL 8", "release_date": "2024-04-18T00:00:00Z"}], "bugzilla": {"description": "python-ecdsa: vulnerable to the Minerva attack", "id": "2259780", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259780"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "(CWE-203|CWE-208|CWE-385)", "details": ["The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.", "A flaw was found in the `ecdsa` PyPI package, a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior may be vulnerable to the Minerva attack."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-23342", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python-ecdsa", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python-ecdsa", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/python-ecdsa", "product_name": "Red Hat Satellite 6"}], "public_date": "2024-01-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-23342\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23342\nhttps://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md\nhttps://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp\nhttps://minerva.crocs.fi.muni.cz/\nhttps://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"], "statement": "Some of the offerings such as Quay do not rely on python-ecdsa, therefore the impact is minimal or non-existing for these products.", "threat_severity": "Moderate"}