Name of the Vulnerable Software and Affected Versions PHPECC (affected versions not specified)

Description The issue concerns malleable ECDSA signature attacks. When generating new ECDSA signatures, the use of the GMPMath adapter, which wraps the GNU Multiple Precision arithmetic library (GMP), allows for potential timing attacks. An attacker can trigger many signatures and study the time it takes to perform each operation, potentially leaking the secret number, k, and learning the private key. Additionally, the EcDH class has a timing leak in the scalar-point multiplication due to non-constant-time methods (add(), mul(), and getDouble()) on the Point class, which can leak information about each bit of the private key.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.