CVE-2014-3591 — Sensitive Information Exposure in Gnupg

CWE-200 — Sensitive Information Exposure15 documents8 sources

Severity

4.2MEDIUMNVD

EPSS

0.1%

top 65.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnupg Gnupg Libgcrypt GNU Gnupg +2 more

Timeline

PublishedNov 29

Latest updateMay 17

Description

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 0.5 | Impact: 3.6

Affected Packages5 packages

▶NVDgnupg/libgcrypt< 1.6.3

▶NVDgnupg/gnupg< 1.4.19

▶Ubuntugnupg/gnupg< 1.4.16-1ubuntu2.3

▶CVEListV5gnu/gnupgbefore 1.4.19

▶CVEListV5gnu/libgcryptbefore 1.6.3

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: lists.gnupg.org ↗Patch: lists.gnupg.org ↗Patch: lists.gnupg.org ↗

🔴Vulnerability Details

GHSA

GHSA-5p8v-2xvp-pwmc: Libgcrypt before 1↗2022-05-17

▶

CVEList

CVE-2014-3591: Libgcrypt before 1↗2019-11-29

▶

OSV

CVE-2014-3591: Libgcrypt before 1↗2019-11-29

▶

OSV

libgcrypt11, libgcrypt20 vulnerabilities↗2015-04-01

▶

OSV

gnupg, gnupg2 vulnerabilities↗2015-04-01

▶

📋Vendor Advisories

Ubuntu

Libgcrypt vulnerabilities↗2015-04-01

▶

Ubuntu

GnuPG vulnerabilities↗2015-04-01

▶

Red Hat

libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)↗2015-02-27

▶

Debian

CVE-2014-3591: libgcrypt20 - Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext bli...↗2014

▶

💬Community

Bugzilla

CVE-2015-0837 CVE-2014-3591 gnupg: various flaws [fedora-all]↗2015-03-03

▶

Bugzilla

CVE-2015-0837 CVE-2014-3591 mingw-libgcrypt: various flaws [epel-all]↗2015-03-03

▶

Bugzilla

CVE-2015-0837 CVE-2014-3591 libgcrypt: various flaws [fedora-all]↗2015-03-03

▶

Bugzilla

CVE-2015-0837 CVE-2014-3591 mingw-libgcrypt: various flaws [fedora-all]↗2015-03-03

▶

Bugzilla

CVE-2014-3591 libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)↗2015-03-03

▶