CVE-2023-24532
Incorrect calculation on P256 curves in crypto/internal/nistec
5.3
MEDIUM
CVSS 3.1
EPSS 0.03%
Description
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.
How to fix CVE-2023-24532
To remediate CVE-2023-24532, upgrade the affected package to a fixed version below.
- —upgrade to 1.19.7 or later
- —no fix listed
- —upgrade to 1.19.8-2 or later
- —upgrade to 1.19.7 or later
Is CVE-2023-24532 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.19.7, >= 1.20.0, < 1.20.2
- from 0
- from 0, < 1.19.8-2
- from 0, < 1.19.7, >= 1.20.0-0, < 1.20.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |