{
  "threat_severity" : "Moderate",
  "public_date" : "2024-01-23T00:00:00Z",
  "bugzilla" : {
    "description" : "python-ecdsa: vulnerable to the Minerva attack",
    "id" : "2259780",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2259780"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-385",
  "details" : [ "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.", "A flaw was found in the `ecdsa` PyPI package, a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior may be vulnerable to the Minerva attack." ],
  "statement" : "Some of the offerings such as Quay do not rely on python-ecdsa, therefore the impact is minimal or non-existing for these products.",
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2024-12-04T00:00:00Z",
    "advisory" : "RHSA-2024:10806",
    "cpe" : "cpe:/a:redhat:satellite:6.15::el8",
    "package" : "python-pulp-container-0:2.16.9-2.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2024-12-04T00:00:00Z",
    "advisory" : "RHSA-2024:10806",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.15::el8",
    "package" : "python-pulp-container-0:2.16.9-2.el8pc"
  }, {
    "product_name" : "RHUI 4 for RHEL 8",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1878",
    "cpe" : "cpe:/a:redhat:rhui:4::el8",
    "package" : "python-ecdsa-0:0.18.0-4.el8ui"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "python-ecdsa",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "python-ecdsa",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "satellite:el8/python-ecdsa",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-23342\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23342\nhttps://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md\nhttps://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp\nhttps://minerva.crocs.fi.muni.cz/\nhttps://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/" ],
  "name" : "CVE-2024-23342",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}