Security
Headlines

Headlines Latest CVEs

Headline

GHSA-cqvv-r3g3-26rf: free5GC udm vulnerable to Invalid Curve Attack

pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its private key and the attacker’s public key.

1 year ago

GitHub Advisory Database
GitHub Reviewed
CVE-2023-46324

free5GC udm vulnerable to Invalid Curve Attack

Moderate severity GitHub Reviewed Published Oct 23, 2023 to the GitHub Advisory Database • Updated Oct 24, 2023

Package

gomod github.com/free5gc/udm (Go)

Affected versions

< 1.2.0

Published to the GitHub Advisory Database

Oct 23, 2023

Last updated

Oct 24, 2023

Related news

CVE-2023-46324: Prevent Invalid Curve Attack on 5G SUCI Feature by Roy-Hu · Pull Request #20 · free5gc/udm

pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its private key and the attacker's public key.

1 year ago

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP

2 days ago

GHSA-j5vv-6wjg-cfr8: changedetection.io Vulnerable to Improper Input Validation Leading to LFR/Path Traversal

2 days ago

GHSA-qx95-cwh6-9mvq: TCPDF missing character escape on error messages

2 days ago

GHSA-w95c-7994-ghpr: TCPDF has incorrect comparison

2 days ago

GHSA-4p8j-vhjm-6pvw: TCPDF lacks SVG sanitization

2 days ago