Vulnerability Description
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.19.7 |
Related Weaknesses (CWE)
References
- https://go.dev/cl/471255Patch
- https://go.dev/issue/58647Issue TrackingPatch
- https://groups.google.com/g/golang-announce/c/3-TpUx48iQYMailing ListRelease Notes
- https://pkg.go.dev/vuln/GO-2023-1621Third Party Advisory
- https://go.dev/cl/471255Patch
- https://go.dev/issue/58647Issue TrackingPatch
- https://groups.google.com/g/golang-announce/c/3-TpUx48iQYMailing ListRelease Notes
- https://pkg.go.dev/vuln/GO-2023-1621Third Party Advisory
- https://security.netapp.com/advisory/ntap-20230331-0011/
FAQ
What is CVE-2023-24532?
CVE-2023-24532 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not i...
How severe is CVE-2023-24532?
CVE-2023-24532 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-24532?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.