Advisory Database
  • Advisories
  • Dependency Scanning
  1. pypi
  2. ›
  3. ecdsa
  4. ›
  5. CVE-2024-23342

CVE-2024-23342: Minerva timing attack on P-256 in python-ecdsa

January 22, 2024 (updated July 30, 2025)

python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the ecdsa.SigningKey.sign_digest() API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.

References

  • github.com/advisories/GHSA-wj6h-64fc-37mp
  • github.com/tlsfuzzer/python-ecdsa
  • github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
  • github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
  • minerva.crocs.fi.muni.cz/
  • nvd.nist.gov/vuln/detail/CVE-2024-23342
  • securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python

Code Behaviors & Features

Detect and mitigate CVE-2024-23342 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions

Solution

Unfortunately, there is no solution available yet.

Impact 7.4 HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-203: Observable Discrepancy
  • CWE-208: Observable Timing Discrepancy
  • CWE-385: Covert Timing Channel

Source file

pypi/ecdsa/CVE-2024-23342.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 23 Aug 2025 00:18:59 +0000.