Use of a Broken or Risky Cryptographic Algorithm

Affecting gnutls28 package, versions <3.3.30-0+deb8u1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.

References

CVSS Score

5.6
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE
CVE-2018-10846
CWE
CWE-327 CWE-385
Snyk ID
SNYK-DEBIAN8-GNUTLS28-340593
Disclosed
22 Aug, 2018
Published
25 Sep, 2018