Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8j98-cjfr-qx3h: github.com/ecies/go vulnerable to possible private key restoration

Impact

If functions Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, he could recover any private key that he interacts with.

Patches

Patched in v2.0.8

Workarounds

You could manually check public key by calling IsOnCurve() function from secp256k1 libraries.

References

https://github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/Attack-Invalid-Curve-Point/README.md

ghsa
Open in Source
#git

github.com/ecies/go vulnerable to possible private key restoration

High severity GitHub Reviewed Published Dec 4, 2023 in ecies/go • Updated Dec 5, 2023

Related news

CVE-2023-49292: Possible private key restoration

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. If funcations Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, they could recover any private key that interacts with it. This vulnerability was patched in 2.0.8. Users are advised to upgrade.

ghsa: Latest News

GHSA-jg74-mwgw-v6x3: Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default
ghsa