CVE-2023-24532

CVE-2023-24532

Name

CVE-2023-24532

Description

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://go.dev/cl/471255
MISC	https://pkg.go.dev/vuln/GO-2023-1621
MISC	https://groups.google.com/g/golang-announce/c/3-TpUx48iQY
MISC	https://go.dev/issue/58647

Type

URI

MISC

https://go.dev/cl/471255

MISC

https://pkg.go.dev/vuln/GO-2023-1621

MISC

https://groups.google.com/g/golang-announce/c/3-TpUx48iQY

MISC

https://go.dev/issue/58647

CPE URI	Source package	Min version	Max version
	crypto/internal/nistec	>= 0	< 1.19.7
	crypto/internal/nistec	>= 1.20.0-0	< 1.20.2

CPE URI

Source package

Min version

Max version

crypto/internal/nistec

>= 0

< 1.19.7

crypto/internal/nistec

>= 1.20.0-0

< 1.20.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
go	edge-community	1.20.2-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	fixed
go	3.22-community	1.20.2-r0	None	fixed
go	3.21-community	1.20.2-r0	None	fixed
go	3.20-community	1.20.2-r0	None	fixed
go	3.19-community	1.20.2-r0	None	fixed
go	3.18-community	1.20.2-r0	None	fixed
go	3.17-community	1.19.7-r0	Sören Tempel <soeren+alpine@soeren-tempel.net>	fixed

Source package

Branch

Version

Maintainer

Status

edge-community

1.20.2-r0

Sören Tempel <soeren+alpine@soeren-tempel.net>

fixed

3.22-community

1.20.2-r0

None