CVE-2021-3711
Severity
9.8CRITICAL
EPSS
2.5%
top 14.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 24
Latest updateMay 24
Description
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages23 packages
Also affects: Debian Linux 10.0, 11.0
Patches
🔴Vulnerability Details
6OSV▶
CVE-2021-3711: In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt()↗2021-08-24
📋Vendor Advisories
8Oracle▶
Oracle Oracle Health Sciences Applications Risk Matrix: Connector (OpenSSL) — CVE-2021-3711↗2022-04-15