ECDSA Timing Attack Vulnerability in libgcrypt20 by GnuPG
CVE-2019-13627

6.3MEDIUM

Key Information:

Vendor

Canonical

Status
Ubuntu Linux
Leap
Vendor
CVE Published:
25 September 2019

What is CVE-2019-13627?

A vulnerability was identified in the libgcrypt20 cryptographic library where an ECDSA timing attack could potentially allow attackers to recover private keys. This vulnerability affects specific versions of the library, and it's crucial for users to update to the fixed versions to mitigate the risk. Patching to versions 1.8.5-2 or 1.6.3-2+deb8u7 is highly advised to ensure security and protect sensitive data.

References

http://lists.opensuse.org/opensuse-security-announce/2019...
vendor-advisoryx_refsource_SUSE
https://lists.debian.org/debian-lts-announce/2019/09/msg0...
mailing-listx_refsource_MLIST
https://security-tracker.debian.org/tracker/CVE-2019-13627
x_refsource_MISC

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-13627 : ECDSA Timing Attack Vulnerability in libgcrypt20 by GnuPG