CVE-2021-33560

HIGH

Libgcrypt <1.8.8 & <1.9.3 - Info Disclosure

Title source: llm
STIX 2.1

Description

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.

Exploits (1)

nomisec SCANNER 1 stars
by IBM · poc
https://github.com/IBM/PGP-client-checker-CVE-2021-33560

References (12)

Core 12
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202210-13
Release Notes, Vendor Advisory
https://dev.gnupg.org/T5305
Vendor Advisory
https://dev.gnupg.org/T5328
Release Notes, Vendor Advisory
https://dev.gnupg.org/T5466

Scores

CVSS v3 7.5
EPSS 0.0043
EPSS Percentile 62.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-325 CWE-203
Status published
Products (12)
debian/debian_linux 9.0
fedoraproject/fedora 33
fedoraproject/fedora 34
gnupg/libgcrypt < 1.8.8
oracle/communications_cloud_native_core_binding_support_function 1.11.0
oracle/communications_cloud_native_core_network_function_cloud_native_environment 1.9.0
oracle/communications_cloud_native_core_network_function_cloud_native_environment 1.10.0
oracle/communications_cloud_native_core_network_repository_function 1.14.0
oracle/communications_cloud_native_core_network_repository_function 1.15.0
oracle/communications_cloud_native_core_network_repository_function 1.15.1
... and 2 more
Published Jun 08, 2021
Tracked Since Feb 18, 2026