GHSA-wp4m-7hpj-8qp8: Duplicate Advisory: Discovery uses the same AES/GCM Nonce throughout the session

January 20, 2024 (updated December 2, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-w3hj-wr2q-x83g. This link is maintained to preserve external references.

Original Description

Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node’s private key isn’t compromised, only the session key generated for specific peer communication is exposed.

References

github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83g
github.com/advisories/GHSA-w3hj-wr2q-x83g
github.com/advisories/GHSA-wp4m-7hpj-8qp8
nvd.nist.gov/vuln/detail/CVE-2024-23688
vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83g

Code Behaviors & Features

Detect and mitigate GHSA-wp4m-7hpj-8qp8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →