CVE-2021-33560 — HIGH (7.5)

Q: How severe is CVE-2021-33560?

CVE-2021-33560 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-33560?

Check the references section above for vendor advisories and patch information. Affected products include: Gnupg Libgcrypt, Debian Debian Linux, Fedoraproject Fedora, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Function Cloud Native Environment.

Vulnerability Description

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Gnupg	Libgcrypt	< 1.8.8
Debian	Debian Linux	9.0
Fedoraproject	Fedora	33
Oracle	Communications Cloud Native Core Binding Support Function	1.11.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.9.0
Oracle	Communications Cloud Native Core Network Repository Function	1.14.0
Oracle	Communications Cloud Native Core Network Slice Selection Function	1.8.0
Oracle	Communications Cloud Native Core Service Communication Proxy	1.15.0

Related Weaknesses (CWE)

CWE-203 CWE-325

References

https://dev.gnupg.org/T5305Release NotesVendor Advisory
https://dev.gnupg.org/T5328Vendor Advisory
https://dev.gnupg.org/T5466Release NotesVendor Advisory
https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61PatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00021.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202210-13Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
https://dev.gnupg.org/T5305Release NotesVendor Advisory
https://dev.gnupg.org/T5328Vendor Advisory
https://dev.gnupg.org/T5466Release NotesVendor Advisory

FAQ

What is CVE-2021-33560?

CVE-2021-33560 is a vulnerability with a CVSS score of 7.5 (HIGH). Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appr...

How severe is CVE-2021-33560?

CVE-2021-33560 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-33560?

Check the references section above for vendor advisories and patch information. Affected products include: Gnupg Libgcrypt, Debian Debian Linux, Fedoraproject Fedora, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Function Cloud Native Environment.