Miggo Logo
Miggo Vulnerability Database
CVE-2024-23342

CVE-2024-23342: Minerva timing attack on P-256 in python-ecdsa

7.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-23342
GHSA ID
GHSA-wj6h-64fc-37mp
EPSS Score
0.69139%
CWE
CWE-203
Published
1/22/2024
Updated
1/23/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ecdsapip<= 0.18.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references the sign_digest() API as the entry point for the attack. The root cause is non-constant-time scalar multiplication in P-256 operations, which leaks nonce bit-length via timing measurements. The library's security policy acknowledges side-channel vulnerabilities are out of scope, confirming no constant-time protections exist. While key generation and ECDH are also affected, sign_digest is the only function explicitly named in the advisory with sufficient specificity.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

pyt*on-***s* **s ***n *oun* to ** su*j**t to * Min*rv* timin* *tt**k on t** P-*** *urv*. Usin* t** `***s*.Si*nin*K*y.si*n_*i**st()` *PI *un*tion *n* timin* si*n*tur*s *n *tt**k*r **n l**k t** int*rn*l non** w*i** m*y *llow *or priv*t* k*y *is*ov*ry.

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s t** `si*n_*i**st()` *PI *s t** *ntry point *or t** *tt**k. T** root **us* is non-*onst*nt-tim* s**l*r multipli**tion in P-*** op*r*tions, w*i** l**ks non** *it-l*n*t* vi* timin* m**sur*m*nts. T** li*r*ry's s**u