Vulnerability Details : CVE-2019-13627
It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.
Products affected by CVE-2019-13627
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:libgcrypt20_project:libgcrypt20:1.6.3-2\+deb8u4:*:*:*:*:*:*:*
- cpe:2.3:a:libgcrypt20_project:libgcrypt20:1.7.6-2\+deb9u3:*:*:*:*:*:*:*
- cpe:2.3:a:libgcrypt20_project:libgcrypt20:1.8.4-5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-13627
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-13627
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.6
|
LOW | AV:L/AC:H/Au:N/C:P/I:P/A:N |
1.9
|
4.9
|
NIST | |
6.3
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
1.0
|
5.2
|
NIST |
CWE ids for CVE-2019-13627
-
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-13627
-
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00018.html
[security-announce] openSUSE-SU-2020:0022-1: moderate: Security update fThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/10/02/2
oss-security - Minerva: ECDSA key recovery from bit-length leakageMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/01/msg00001.html
[SECURITY] [DLA 1931-2] libgcrypt20 regression updateThird Party Advisory
-
https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5
Release libgcrypt-1.8.5 · gpg/libgcrypt · GitHubThird Party Advisory
-
https://security.gentoo.org/glsa/202003-32
Libgcrypt: Side-channel attack (GLSA 202003-32) — Gentoo securityThird Party Advisory
-
https://usn.ubuntu.com/4236-1/
USN-4236-1: Libgcrypt vulnerability | Ubuntu security noticesThird Party Advisory
-
https://usn.ubuntu.com/4236-3/
USN-4236-3: Libgcrypt vulnerability | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html
[security-announce] openSUSE-SU-2019:2161-1: moderate: Security update fThird Party Advisory
-
https://security-tracker.debian.org/tracker/CVE-2019-13627
CVE-2019-13627Third Party Advisory
-
https://usn.ubuntu.com/4236-2/
USN-4236-2: Libgcrypt vulnerability | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html
[SECURITY] [DLA 1931-1] libgcrypt20 security updateMailing List;Third Party Advisory
-
https://minerva.crocs.fi.muni.cz/
Minerva: The curse of ECDSA noncesThird Party Advisory
Jump to