CVE-2024-23688: Consensys Discovery Nonce Reuse
First published: Fri Jan 19 2024(Updated: )
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
Credit: disclosure@vulncheck.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Consensys Discovery | <0.4.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-23688?
CVE-2024-23688 has a moderate severity due to the reuse of the AES/GCM nonce leading to potential session key exposure.
How do I fix CVE-2024-23688?
To fix CVE-2024-23688, upgrade Consensys Discovery to version 0.4.5 or later.
What causes CVE-2024-23688?
CVE-2024-23688 is caused by the use of the same AES/GCM nonce for the entire session in versions of Consensys Discovery before 0.4.5.
What type of vulnerability is CVE-2024-23688?
CVE-2024-23688 is classified as a cryptographic vulnerability related to nonce reuse in encryption.
Who is affected by CVE-2024-23688?
Any user of Consensys Discovery versions prior to 0.4.5 is affected by CVE-2024-23688.
- agent/title
- agent/references
- agent/first-publish-date
- agent/description
- agent/type
- agent/author
- agent/event
- agent/weakness
- agent/severity
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- vendor/consensys
- canonical/consensys discovery