CVE-2023-49292

Name of the Vulnerable Software and Affected Versions ecies versions prior to 2.0.8

Description The issue allows an attacker to recover any private key that interacts with the vulnerable functions. This is due to a bug in the ECDH function where it does not check whether the provided public key is on the curve, allowing an attacker to create a public key not on the curve and use it to recover the private key. The vulnerable functions include Encapsulate(), Decapsulate(), and ECDH(). As a mitigation measure, users can manually check public keys by calling the IsOnCurve() function from secp256k1 libraries.

Recommendations For versions prior to 2.0.8, upgrade to version 2.0.8 or later to resolve the issue. As a temporary workaround, consider manually checking public keys by calling the IsOnCurve() function from secp256k1 libraries to minimize the risk of exploitation.