CVE-2017-0379 — Sensitive Information Exposure in Libgcrypt

CWE-200 — Sensitive Information Exposure10 documents8 sources

Severity

7.5HIGHNVD

EPSS

1.9%

top 16.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnupg Libgcrypt Debian Linux

Timeline

PublishedAug 29

Latest updateMay 14

Description

Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDgnupg/libgcrypt1.8.0

▶CVEListV5gnupg/libgcryptlibgcrypt

Also affects: Debian Linux 9.0

Patches

Patch: lists.debian.org ↗Patch: security-tracker.debian.org ↗Patch: www.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-j848-fx94-98m4: Libgcrypt before 1↗2022-05-14

▶

OSV

CVE-2017-0379: Libgcrypt before 1↗2017-08-29

▶

CVEList

CVE-2017-0379: Libgcrypt before 1↗2017-08-29

▶

📋Vendor Advisories

Ubuntu

Libgcrypt vulnerability↗2017-09-14

▶

Red Hat

libgcrypt: Missing input validation for X25519 curve↗2017-08-27

▶

Debian

CVE-2017-0379: libgcrypt20 - Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attack...↗2017

▶

💬Community

Bugzilla

CVE-2017-0379 mingw-libgcrypt: libgcrypt: Missing input validation for X25519 curve [fedora-all]↗2017-08-28

▶

Bugzilla

CVE-2017-0379 libgcrypt: Missing input validation for X25519 curve [fedora-all]↗2017-08-28

▶

Bugzilla

CVE-2017-0379 libgcrypt: Missing input validation for X25519 curve↗2017-08-28

▶