CVE-2013-4242 — Sensitive Information Exposure in Gnupg

CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

1.9LOWNVD

EPSS

0.1%

top 73.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnupg Gnupg Libgcrypt Canonical Ubuntu Linux +2 more

Timeline

PublishedAug 19

Latest updateMay 14

Description

GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.

CVSS vector

AV:L/AC:M/C:P/I:N/A:NExploitability: 3.4 | Impact: 2.9

Affected Packages3 packages

▶NVDgnupg/libgcrypt1.5.2+7

▶NVDgnupg/gnupg1.4.13+76

▶NVDopensuse/opensuse12.2, 12.3+1

Also affects: Debian Linux 6.0, 7.0, Ubuntu Linux 10.04, 12.04, 12.10, 13.04

🔴Vulnerability Details

GHSA

GHSA-rpp2-q7rq-p78j: GnuPG before 1↗2022-05-14

▶

CVEList

CVE-2013-4242: GnuPG before 1↗2013-08-19

▶

📋Vendor Advisories

Ubuntu

GnuPG, Libgcrypt vulnerability↗2013-08-01

▶

Red Hat

GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack↗2013-07-22

▶

💬Community

Bugzilla

CVE-2014-5270 libgcrypt: ELGAMAL side-channel attack↗2014-08-11

▶

Bugzilla

CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack↗2013-07-25

▶