Vulnerability Description
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Consensys | Discovery | < 0.4.5 |
Related Weaknesses (CWE)
References
- https://github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83gVendor Advisory
- https://github.com/advisories/GHSA-w3hj-wr2q-x83gThird Party Advisory
- https://vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83gThird Party Advisory
- https://github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83gVendor Advisory
- https://github.com/advisories/GHSA-w3hj-wr2q-x83gThird Party Advisory
- https://vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83gThird Party Advisory
FAQ
What is CVE-2024-23688?
CVE-2024-23688 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the se...
How severe is CVE-2024-23688?
CVE-2024-23688 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-23688?
Check the references section above for vendor advisories and patch information. Affected products include: Consensys Discovery.