GHSA-wp4m-7hpj-8qp8

Опубликовано: 20 янв. 2024

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

Duplicate Advisory: Discovery uses the same AES/GCM Nonce throughout the session

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-w3hj-wr2q-x83g. This link is maintained to preserve external references.

Original Description

Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.

Ссылки

https://github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83g
https://nvd.nist.gov/vuln/detail/CVE-2024-23688
https://github.com/advisories/GHSA-w3hj-wr2q-x83g
https://vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83g

Пакеты

Наименование

tech.pegasys.discovery:discovery

maven

Затронутые версииВерсия исправления

< 0.4.5

0.4.5

5.3 Medium

CVSS3

Дефекты

CWE-323

CWE-330

5.3 Medium

CVSS3

Дефекты

CWE-323

CWE-330