CVE-2024-23342

Name of the Vulnerable Software and Affected Versions ecdsa versions 0.18.0 and prior

Description The ecdsa PyPI package, a pure Python implementation of ECC (Elliptic Curve Cryptography), is affected by a Minerva timing attack on the P-256 curve. This attack can leak the internal nonce when using the ecdsa.SigningKey.sign digest() API function, potentially allowing for private key discovery. The issue affects ECDSA signatures, key generation, and ECDH operations, but not ECDSA signature verification.

Recommendations For versions 0.18.0 and prior, as a temporary workaround, consider restricting the use of the ecdsa.SigningKey.sign digest() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.