Information Exposure Affecting nettle package, versions *


low

Snyk CVSS

    Attack Complexity High
    Scope Changed
    Confidentiality High

    Threat Intelligence

    EPSS 0.1% (41st percentile)
Expand this section
NVD
5.7 medium
Expand this section
SUSE
5.3 medium
Expand this section
Red Hat
4.7 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN9-NETTLE-302009
  • published 3 Dec 2018
  • disclosed 3 Dec 2018

How to fix?

There is no fixed version for Debian:9 nettle.

NVD Description

Note: Versions mentioned in the description apply only to the upstream nettle package and not the nettle package as distributed by Debian. See How to fix? for Debian:9 relevant fixed versions and status.

A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.