CVE-2023-49292

low-risk
Published 2023-12-05

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. If funcations Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, they could recover any private key that interacts with it. This vulnerability was patched in 2.0.8. Users are advised to upgrade.

Do I need to act?

-
0.19% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Go

Affected Vendors

Ecies

References (8)

Exploit https://github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/...
Patch https://github.com/ecies/go/commit/c6e775163866d6ea5233eb8ec8530a9122101ebd
Release Notes https://github.com/ecies/go/releases/tag/v2.0.8
Vendor Advisory https://github.com/ecies/go/security/advisories/GHSA-8j98-cjfr-qx3h
Exploit https://github.com/ashutosh1206/Crypton/blob/master/Diffie-Hellman-Key-Exchange/...
Patch https://github.com/ecies/go/commit/c6e775163866d6ea5233eb8ec8530a9122101ebd
Release Notes https://github.com/ecies/go/releases/tag/v2.0.8
Vendor Advisory https://github.com/ecies/go/security/advisories/GHSA-8j98-cjfr-qx3h
22
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal