CVE-2014-5270 — Sensitive Information Exposure in Libgcrypt

CWE-200 — Sensitive Information Exposure11 documents8 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 77.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnupg Libgcrypt Debian Linux

Timeline

PublishedOct 10

Latest updateMay 17

Description

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages1 packages

▶NVDgnupg/libgcrypt1.5.3+8

Also affects: Debian Linux 7.0

Patches

Patch: lists.gnupg.org ↗Patch: lists.gnupg.org ↗

🔴Vulnerability Details

GHSA

GHSA-47gj-9v97-r4c7: Libgcrypt before 1↗2022-05-17

▶

CVEList

CVE-2014-5270: Libgcrypt before 1↗2014-10-10

▶

OSV

CVE-2014-5270: Libgcrypt before 1↗2014-10-10

▶

📋Vendor Advisories

Ubuntu

GnuPG vulnerabilities↗2015-04-01

▶

Ubuntu

GnuPG vulnerability↗2014-09-03

▶

Ubuntu

Libgcrypt vulnerability↗2014-09-03

▶

Red Hat

libgcrypt: ELGAMAL side-channel attack↗2014-08-08

▶

Debian

CVE-2014-5270: libgcrypt20 - Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly p...↗2014

▶

💬Community

Bugzilla

CVE-2014-3591 libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)↗2015-03-03

▶

Bugzilla

CVE-2014-5270 libgcrypt: ELGAMAL side-channel attack↗2014-08-11

▶