CVE-2023-49292: 
NixOS vulnerability analysis and mitigation

The vulnerability CVE-2023-49292 affects ecies, an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. The vulnerability was discovered in versions prior to 2.0.8 and disclosed on December 4, 2023. The issue affects the Encapsulate(), Decapsulate() and ECDH() functions in the package, which could potentially allow attackers to recover private keys (GitHub Advisory).

The vulnerability stems from insufficient validation of points on the Elliptic Curve. The issue specifically relates to the lack of proper curve point validation checks in the affected functions. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, while GitHub assessed it with a score of 4.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, an attacker who can interact with the Encapsulate(), Decapsulate(), and ECDH() functions could potentially recover any private key that interacts with these functions. This represents a significant security risk as it could lead to unauthorized access to encrypted communications and compromise of sensitive data (GitHub Advisory).

The vulnerability has been patched in version 2.0.8 of the package. Users are strongly advised to upgrade to this version. As a workaround, users can manually check public keys by calling the IsOnCurve() function from secp256k1 libraries (GitHub Advisory).