CVE-2023-49292 MEDIUM

CVE-2023-49292: Possible private key restoration in go package github.com/ecies/go

Vendor Ecies

Product go

Weakness CWE-200 · Info exposure

Published December 4, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. If funcations Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, they could recover any private key that interacts with it. This vulnerability was patched in 2.0.8. Users are advised to upgrade.

Key dates

02Disclosure timeline

December 4, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-49292

Related vulnerabilities

CVE-2023-49292: Possible private key restoration in go package github.com/ecies/go

01Description

02Disclosure timeline

03References

04Related CVE