Do your applications use this vulnerable package?
Test your applications
Overview
Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
References
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- MISC
- MISC
- MISC
- MISC
- Oracle Security Advisory
- REDHAT
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- Security Tracker
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
CVSS Score
4.7
medium severity
-
Attack VectorLocal
-
Attack ComplexityHigh
-
Privileges RequiredLow
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityNone
-
AvailabilityNone
- CVE
- CVE-2018-0495
- CWE
- CWE-203
- Snyk ID
- SNYK-ALPINE37-LIBRESSL-268394
- Disclosed
- 13 Jun, 2018
- Published
- 13 Jun, 2018