Vulnerability Description
The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnupg | Libgcrypt | < 1.9.4 |
Related Weaknesses (CWE)
References
- https://eprint.iacr.org/2021/923Technical DescriptionThird Party Advisory
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f
- https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgThird Party Advisory
- https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgExploitThird Party Advisory
- https://security.gentoo.org/glsa/202210-13Third Party Advisory
- https://eprint.iacr.org/2021/923Technical DescriptionThird Party Advisory
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=3462280f
- https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgThird Party Advisory
- https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgExploitThird Party Advisory
- https://security.gentoo.org/glsa/202210-13Third Party Advisory
FAQ
What is CVE-2021-40528?
CVE-2021-40528 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by ...
How severe is CVE-2021-40528?
CVE-2021-40528 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-40528?
Check the references section above for vendor advisories and patch information. Affected products include: Gnupg Libgcrypt.