AVID-2026-R1428

Description

python-ecdsa vulnerable to Minerva attack on P-256 (CVE-2024-23342)

Details

The ecdsa PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists.

Reason for inclusion in AVID: CVE-2024-23342 describes a Minerva attack against the Python-ecdsa library (versions ≤0.18.0), a cryptographic software component. This is a software supply-chain vulnerability affecting signing/integrity/authenticity mechanisms, which can impact AI deployments that rely on Python ecosystems for model packaging, verification, and secure communications. Though not AI-specific, it targets a component commonly used in software stacks that underpin general-purpose AI systems. The report provides explicit vulnerability behavior and references, with no patched version available at publication, signaling a credible security risk in the AI software supply chain.

References

• NVD entry
• https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
• https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
• https://minerva.crocs.fi.muni.cz/
• https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/

Affected or Relevant Artifacts

• Developer: tlsfuzzer
• Deployer: tlsfuzzer
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-01-22
• Version: 0.3.3
• AVID Entry