CVE-2014-3591
libgcrypt11 - security update
4.2
MEDIUM
CVSS 3.1
EPSS 0.14%
Description
Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.
How to fix CVE-2014-3591
To remediate CVE-2014-3591, upgrade the affected package to a fixed version below.
- —upgrade to 1.4.10-4+squeeze7 or later
- —upgrade to 1.4.12-7+deb7u7 or later
- —upgrade to 1.4.5-2+squeeze3 or later
- —upgrade to 1.5.0-5+deb7u3 or later
- —upgrade to 1.6.3-2 or later
Is CVE-2014-3591 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 1.4.10-4+squeeze7
- from 0, < 1.4.12-7+deb7u7
- from 0, < 1.4.5-2+squeeze3
- from 0, < 1.5.0-5+deb7u3
- from 0, < 1.6.3-2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.2 | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |