Vulnerability Name:

CVE-2023-24532 (CCN-249655)

Assigned:2023-03-08
Published:2023-03-08
Updated:2023-03-15
Summary:An unspecified error with return an incorrect result in the ScalarMult and ScalarBaseMult methods of the P256 Curve in Golang Go has an unknown impact and attack vector.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Consequences:Other
References:Source: MITRE
Type: CNA
CVE-2023-24532

Source: XF
Type: UNKNOWN
golang-cve202324532-unspecified(249655)

Source: CCN
Type: Go GIT Repository
crypto/elliptic: specific unreduced P-256 scalars produce incorrect results (CVE-2023-24532) #58647

Source: CCN
Type: GO-2023-1621
crypto/internal/nistec

Source: CCN
Type: IBM Security Bulletin 6987489 (Db2 Rest)
Multiple vulnerabilities in golang affect IBM Db2 REST

Source: CCN
Type: IBM Security Bulletin 6995167 (Event Streams)
IBM Event Streams is affected by vulnerabilities in Golang Go (CVE-2022-41724, CVE-2023-24532)

Source: CCN
Type: IBM Security Bulletin 6995507 (Cloud Pak for Integration)
Operations Dashboard is vulnerable to unspecified errors due to Go (CVE-2023-24532)

Source: CCN
Type: IBM Security Bulletin 6995589 (Spectrum Copy Data Management)
Vulnerabilities in Golang, Python, postgresql, cURL libcurl might affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6998391 (Cloud Pak for Integration)
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go

Source: CCN
Type: IBM Security Bulletin 7004575 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go

Source: CCN
Type: IBM Security Bulletin 7005589 (Spectrum Protect Plus)
Vulnerabilities in Apache Commons, Tomcat, Go, libcurl, OpenSSL, Python, Node.js, and Linux can affect IBM Spectrum Protect Plus.

Source: CCN
Type: IBM Security Bulletin 7006393 (Storage Protect)
IBM Storage Protect Server is vulnerable to attacks due to Golang Go (CVE-2023-24532)

Source: CCN
Type: IBM Security Bulletin 7006397 (Robotic Process Automation for Cloud Pak)
A vulnerability in Go may affect IBM Robotic Process Automation for Cloud Pack (CVE-2023-24532).

Source: CCN
Type: IBM Security Bulletin 7007813 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operands and operator are vulnerable to [CVE-2023-24532]

Source: CCN
Type: IBM Security Bulletin 7008449 (Db2 on Cloud Pak for Data)
Multiple vulnerabilities affect IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 7009921 (Watson Assistant for Cloud Pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go

Source: CCN
Type: IBM Security Bulletin 7011697 (Storage Protect Plus Container Agent)
Vulnerabilities in Python, OpenSSH, Golang Go, Minio and Redis may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Source: CCN
Type: IBM Security Bulletin 7015037 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an incorrect result in the ScalarMult and ScalarBaseMult methods in Golang Go (CVE-2023-24532)

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:golang:go:1.19.6:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.20.1:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:event_streams:10.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8013
    P
    		go1.19-1.19.9-150000.1.31.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:8014
    P
    		go1.20-1.20.4-150000.1.11.1 on GA media (Moderate)
    2023-06-20
    BACK
    golang go 1.19.6
    golang go 1.20.1
    ibm spectrum protect plus 10.1.0
    ibm event streams 10.0.0
    ibm event streams 10.1.0
    ibm event streams 10.3.0
    ibm event streams 10.3.1
    ibm spectrum copy data management 2.2.0.0
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm robotic process automation for cloud pak 21.0.1
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm app connect enterprise certified container 6.2