CVE-2019-10764: Observable Discrepancy

November 20, 2019 (updated August 18, 2021)

In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.

References

github.com/advisories/GHSA-mr6r-82x4-f4jj
github.com/simplito/elliptic-php/commit/15652609aa55968d56685c2a9120535ccdc00fd9
minerva.crocs.fi.muni.cz/
nvd.nist.gov/vuln/detail/CVE-2019-10764
snyk.io/vuln/SNYK-PHP-SIMPLITOELLIPTICPHP-534576

Detect and mitigate CVE-2019-10764 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →