CVE-2024-23688

Published Jan 19, 2024

Last updated 10 months ago

Overview

Description: Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
Source: disclosure@vulncheck.com
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: CWE-330
disclosure@vulncheck.com: CWE-323

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:consensys:discovery:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "33F278C7-2BA2-400A-AB54-C1CC096B8D31",
            "versionEndExcluding": "0.4.5"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References