CVE-2024-23688
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
0 < 0.4.5 | affected |
Weaknesses
- CWE-323: CWE-323 Reusing a Nonce, Key Pair in Encryption
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83g
- https://github.com/advisories/GHSA-w3hj-wr2q-x83g
- https://vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83g
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/ConsenSys/discovery/security/advisories/GHSA-w3hj-wr2q-x83g
- https://github.com/advisories/GHSA-w3hj-wr2q-x83g
- https://vulncheck.com/advisories/vc-advisory-GHSA-w3hj-wr2q-x83g
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.