CVE-2023-49292
MEDIUMecies Go <2.0.8 - Private Key Recovery via Invalid Curve Operations
Title source: manualDescription
ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. If funcations Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, they could recover any private key that interacts with it. This vulnerability was patched in 2.0.8. Users are advised to upgrade.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/ecies/go/security/advisories/GHSA-8j98-cjfr-qx3h
Patch x_refsource_misc
https://github.com/ecies/go/commit/c6e775163866d6ea5233eb8ec8530a9122101ebd
Exploit x_refsource_misc
https://github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/Attack-Invalid-Curve-Point/README.md
Release Notes x_refsource_misc
https://github.com/ecies/go/releases/tag/v2.0.8
Scores
CVSS v3
4.9
EPSS
0.0034
EPSS Percentile
25.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Details
CWE
CWE-200
Status
published
Products (2)
ecies/go
< 2.0.8
ecies/go
0 - 2.0.8Go
Published
Dec 05, 2023
Tracked Since
Feb 18, 2026