4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
32.0%
Severity: High
Date : 2018-06-16
CVE-ID : CVE-2018-0495
Package : libgcrypt
Type : private key recovery
Remote : No
Link : https://security.archlinux.org/AVG-719
The package libgcrypt before version 1.8.3-1 is vulnerable to private
key recovery.
Upgrade to 1.8.3-1.
The problem has been fixed upstream in version 1.8.3.
None.
An implementation flaw has been discovered in multiple cryptographic
libraries that allows a side-channel based attacker to recover ECDSA or
DSA private keys. When these cryptographic libraries use the private
key to create a signature, such as for a TLS or SSH connection, they
inadvertently leak information through memory caches. An unprivileged
attacker running on the same machine can collect the information from a
few thousand signatures and recover the value of the private key.
An unprivileged user might be able to retrieve private keys on the
affected host.
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=9010d1576e278a4274ad3f4aa15776c28f6ba965;hp=7b6c2afd699e889f5f054cc3d202a61bd0ee1dcf
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
https://security.archlinux.org/CVE-2018-0495
git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=9010d1576e278a4274ad3f4aa15776c28f6ba965;hp=7b6c2afd699e889f5f054cc3d202a61bd0ee1dcf
lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html
security.archlinux.org/AVG-719
security.archlinux.org/CVE-2018-0495
www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
32.0%