io.finnet tss-lib before 2.0.0 can... CVE-2023-26556

- AV AC AU C I A
发布: 2023-04-21
修订: 2023-11-07

io.finnet tss-lib before 2.0.0 can leak a secret key via a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic, which is not constant time (there is an if statement in a loop). One leak is in ecdsa/keygen/round_2.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)

0%
暂无可用Exp或PoC
当前有1条受影响产品信息