CVE-2023-24532

Published: Mar 8, 2023Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.

Affected (2)

Products: Golang: Go

Golang

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.19.7
Golang Go	From 1.20.0 to 1.20.2

Related CWEs

CWE-682

Incorrect Calculation

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

References (9)

https://go.dev/cl/471255

Source: security@golang.org

Patch

https://go.dev/issue/58647

Source: security@golang.org

Issue TrackingPatch

https://groups.google.com/g/golang-announce/c/3-TpUx48iQY

Source: security@golang.org

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2023-1621

Source: security@golang.org

Third Party Advisory

https://go.dev/cl/471255