Information Exposure

Affecting libgcrypt20 package, versions *

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream libgcrypt20 package.

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.

Remediation

There is no fixed version for Ubuntu:18.04 libgcrypt20.

References

CVSS Score

7.5
low severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE
CVE-2021-33560
CWE
CWE-203
Snyk ID
SNYK-UBUNTU1804-LIBGCRYPT20-1297920
Disclosed
08 Jun, 2021
Published
01 Jun, 2021