Vulnerability Report: GO-2023-2380

CVE-2023-49292, GHSA-8j98-cjfr-qx3h
Affects: github.com/ecies/go/v2
Published: Dec 11, 2023
Modified: May 20, 2024

An attacker may be able to recover private keys due to a bug in the ECDH function. The library does not check whether the provided public key is on the curve, which means that an attacker can create a public key that is not on the curve and use it to recover the private key. A workaround is to manually check that the public key is valid by calling the IsOnCurve function from the secp256k1 libraries.

For detailed information about this vulnerability, visit https://github.com/ecies/go/security/advisories/GHSA-8j98-cjfr-qx3h.

Affected Packages

Path

Go Versions

Symbols
github.com/ecies/go/v2

before v2.0.8
5 affected symbols

Aliases

CVE-2023-49292
GHSA-8j98-cjfr-qx3h

References

https://github.com/ecies/go/security/advisories/GHSA-8j98-cjfr-qx3h
https://github.com/ecies/go/commit/c6e775163866d6ea5233eb8ec8530a9122101ebd
https://github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/Attack-Invalid-Curve-Point/README.md
https://vuln.go.dev/ID/GO-2023-2380.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL