Workflow

PyPi: Ecdsa

CVE-2024-23342

Safety vulnerability ID: 64459

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jan 23, 2024 Updated at Nov 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

The python-ecdsa library, which implements ECDSA cryptography in Python, is vulnerable to the Minerva attack (CVE-2024-23342). This vulnerability arises because scalar multiplication is not performed in constant time, affecting ECDSA signatures, key generation, and ECDH operations. ECDSA signature verification remains unaffected. The project maintainers have stated that there is no plan to release a fix for this vulnerability, citing their security policy:
"As stated in the security policy, side-channel vulnerabilities are outside the scope of the project. This is not due to a lack of interest in side-channel secure implementations but rather because the main goal of the project is to be pure Python. Implementing side-channel-free code in pure Python is impossible. Therefore, we do not plan to release a fix for this vulnerability."
NOTE: The specs we include in this advisory differ from the publicly available on other sources. That's because research by Safety CLI Cybersecurity Team confirms that there is no plan to address this vulnerability.

Affected package

ecdsa

Latest version: 0.19.0

ECDSA cryptographic signature library (pure python)

Affected versions

Fixed versions

Vulnerability changelog

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists. See CVE-2024-23342.


MISC:https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md: https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
MISC:https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp: https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
MISC:https://minerva.crocs.fi.muni.cz/: https://minerva.crocs.fi.muni.cz/
MISC:https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.4

CVSS v3 Details

HIGH 7.4
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
HIGH
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
NONE