Timing Attack Affecting simplito/elliptic-php package, versions <1.0.6


0.0
medium

Snyk CVSS

    Attack Complexity High
    Integrity High

    Threat Intelligence

    EPSS 0.24% (62nd percentile)
Expand this section
NVD
7.4 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-SIMPLITOELLIPTICPHP-534576
  • published 18 Nov 2019
  • disclosed 18 Nov 2019
  • credit Sam Sanoop of Snyk Security Team

How to fix?

Upgrade simplito/elliptic-php to version 1.0.6 or higher.

Overview

simplito/elliptic-php is a Fast, general Elliptic Curve Cryptography library.

Affected versions of this package are vulnerable to Timing Attack. Practical recovery of the long-term private key generated by the library is possible under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.