{"id":"CVE-2024-23342","summary":"python-ecdsa vulnerable to Minerva attack on P-256","details":"The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.","aliases":["GHSA-wj6h-64fc-37mp"],"modified":"2026-03-14T12:27:17.750262Z","published":"2024-01-22T23:09:35.775Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23342.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-203","CWE-208","CWE-385"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23342.json"},{"type":"WEB","url":"https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"},{"type":"ADVISORY","url":"https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"},{"type":"WEB","url":"https://minerva.crocs.fi.muni.cz/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23342"},{"type":"WEB","url":"https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tlsfuzzer/python-ecdsa","events":[{"introduced":"0"},{"last_affected":"341e0d8be9fedf66fbc9a95630b4ed2138343380"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.18.0"}]}}],"versions":["python-ecdsa-0.10","python-ecdsa-0.11","python-ecdsa-0.12","python-ecdsa-0.13","python-ecdsa-0.14","python-ecdsa-0.14.1","python-ecdsa-0.15","python-ecdsa-0.16.0","python-ecdsa-0.16.1","python-ecdsa-0.17.0","python-ecdsa-0.18.0","python-ecdsa-0.18.0b1","python-ecdsa-0.18.0b2","python-ecdsa-0.5","python-ecdsa-0.6","python-ecdsa-0.7","python-ecdsa-0.8","python-ecdsa-0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23342.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}