CVE-2021-3798Sensitive Information Exposure in Project Opencryptoki

CWE-200Sensitive Information ExposureCWE-295Improper Certificate Validation7 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.2%
top 63.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Opencryptoki Project Opencryptoki
Timeline
PublishedAug 23
Latest updateAug 24

Description

A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5opencryptoki_project/opencryptokiFixed in v3.17.0

Patches

Patch: bugzilla.redhat.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-f2gp-jqv6-cmxg: A flaw was found in openCryptoki2022-08-24
OSV
CVE-2021-3798: A flaw was found in openCryptoki2022-08-23
CVEList
CVE-2021-3798: A flaw was found in openCryptoki2022-08-23

📋Vendor Advisories

3
Microsoft
A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject nor when C_DeriveKey is used with ECDH public data. This2022-08-09
Red Hat
openCryptoki: Soft token does not check if an EC key is valid2021-05-18
Debian
CVE-2021-3798: opencryptoki - A flaw was found in openCryptoki. The openCryptoki Soft token does not check if ...2021
CVE-2021-3798 — Sensitive Information Exposure | cvebase