CVE-2021-33560

HIGH
Published Jun 8, 20215y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Jun 8, 2021 5y ago
Last Modified Jun 17, 2026 2w ago

Description

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-203
CWE-325

Affected Products 13

VendorProductVersionRange
gnupglibgcrypt* <1.8.8
gnupglibgcrypt*≥1.9.0  –  <1.9.3
debiandebian_linux9.0any
fedoraprojectfedora33any
fedoraprojectfedora34any
oraclecommunications_cloud_native_core_binding_support_function1.11.0any
oraclecommunications_cloud_native_core_network_function_cloud_native_environment1.9.0any
oraclecommunications_cloud_native_core_network_function_cloud_native_environment1.10.0any
oraclecommunications_cloud_native_core_network_repository_function1.14.0any
oraclecommunications_cloud_native_core_network_repository_function1.15.0any
oraclecommunications_cloud_native_core_network_repository_function1.15.1any
oraclecommunications_cloud_native_core_network_slice_selection_function1.8.0any
oraclecommunications_cloud_native_core_service_communication_proxy1.15.0any

References 12

  • dev.gnupg.org https://dev.gnupg.org/T5305
    Release NotesVendor Advisory
  • dev.gnupg.org https://dev.gnupg.org/T5328
    Vendor Advisory
  • dev.gnupg.org https://dev.gnupg.org/T5466
    Release NotesVendor Advisory
  • dev.gnupg.org https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61
    PatchVendor Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BKKTOIGFW2SGN3DO2UHHVZ7MJSYN4AAB/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7OAPCUGPF3VLA7QAJUQSL255D4ITVTL/
  • security.gentoo.org https://security.gentoo.org/glsa/202210-13
    Third Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuoct2021.html
    Third Party Advisory

Remediation

  • dev.gnupg.org https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61
    PatchVendor Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujan2022.html
    PatchThird Party Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpujul2022.html
    PatchThird Party Advisory