CVE-2014-1921 : parcimonie before 0.8.1, when using a large keyring, sleeps for the same amount

parcimonie before 0.8.1, when using a large keyring, sleeps for the same amount of time between fetches, which allows attackers to correlate key fetches via unspecified vectors.

Published 2014-02-14 15:55:06

Updated 2025-04-11 00:51:22

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2014-1921

Parcimonie Project » Parcimonie
Versions up to, including, (<=) 0.7.1-1
cpe:2.3:a:parcimonie_project:parcimonie:*:*:*:*:*:*:*:*
Matching versions
Parcimonie Project » Parcimonie » Version: 0.7-1
cpe:2.3:a:parcimonie_project:parcimonie:0.7-1:*:*:*:*:*:*:*
Matching versions
Parcimonie Project » Parcimonie » Version: 0.6-3
cpe:2.3:a:parcimonie_project:parcimonie:0.6-3:*:*:*:*:*:*:*
Matching versions
Parcimonie Project » Parcimonie » Version: 0.6-1
cpe:2.3:a:parcimonie_project:parcimonie:0.6-1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-1921

EPSS FAQ

0.42%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 59 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-1921

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2014-1921

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-1921

http://www.securityfocus.com/bid/65505

parcimonie Remote Key Fetch Correlation Information Disclosure Weakness
http://seclists.org/oss-sec/2014/q1/305

oss-sec: CVE request: parcimonie (0.6 to 0.8, included) possible correlation between key fetches
http://www.debian.org/security/2014/dsa-2860

Debian -- Security Information -- DSA-2860-1 parcimonie
http://seclists.org/oss-sec/2014/q1/308

oss-sec: Re: CVE request: parcimonie (0.6 to 0.8, included) possible correlation between key fetches
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738134

#738134 - parcimonie: CVE-2014-1921: possible correlation between key fetches - Debian Bug report logs
https://gaffer.ptitcanardnoir.org/intrigeri/files/parcimonie/App-Parcimonie-0.8.1.tar.gz

Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/91118

parcimonie key information disclosure CVE-2014-1921 Vulnerability Report

Jump to

Vulnerability Details : CVE-2014-1921

Products affected by CVE-2014-1921

Exploit prediction scoring system (EPSS) score for CVE-2014-1921

CVSS scores for CVE-2014-1921

CWE ids for CVE-2014-1921

References for CVE-2014-1921