PYSEC-2023-234 (esptool): missing fixed version, upstream issue closed

## Vulnerability

PYSEC-2023-234 / CVE-2023-46894 — esptool "Cryptographic API Misuse Vulnerability: AES ECB used for initialization"

## Problem

The advisory does not specify a fixed version. The upstream issue (espressif/esptool#926) has been **closed** by the maintainers. The explanation is that AES ECB usage is a hardware limitation of early ESP32 revisions (pre-ECO3), not a software bug that can be patched.

The latest esptool release is **5.2.0** (2025-02-18), but osv-scanner still flags it because no `fixed` version is recorded in the advisory.

## Suggested action

Either:
- Mark the advisory as fixed in a specific version, or
- Add a note that this is a hardware limitation acknowledged and closed by the maintainer, so downstream scanners can stop flagging current versions.

## References

- OSV: https://osv.dev/vulnerability/PYSEC-2023-234
- Upstream issue: https://github.com/espressif/esptool/issues/926 (closed)
- Latest release: https://github.com/espressif/esptool/releases/tag/v5.2.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PYSEC-2023-234 (esptool): missing fixed version, upstream issue closed #275

Vulnerability

Problem

Suggested action

References

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

PYSEC-2023-234 (esptool): missing fixed version, upstream issue closed #275

Description

Vulnerability

Problem

Suggested action

References

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions