Timing Attack Affecting simplito/elliptic-php package, versions <1.0.6
Snyk CVSS
Attack Complexity
High
Integrity
High
Threat Intelligence
EPSS
0.24% (62nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SIMPLITOELLIPTICPHP-534576
- published 18 Nov 2019
- disclosed 18 Nov 2019
- credit Sam Sanoop of Snyk Security Team
Introduced: 18 Nov 2019
CVE-2019-10764 Open this link in a new tabHow to fix?
Upgrade simplito/elliptic-php
to version 1.0.6 or higher.
Overview
simplito/elliptic-php is a Fast, general Elliptic Curve Cryptography library.
Affected versions of this package are vulnerable to Timing Attack. Practical recovery of the long-term private key generated by the library is possible under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.