Description
_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.
Affected Software
Related
{"id": "CVE-2021-3345", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-3345", "description": "_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.", "published": "2021-01-29T15:15:00", "modified": "2022-04-26T16:08:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3345", "reporter": "cve@mitre.org", "references": ["https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=512c0c75276949f13b6373b5c04f7065af750b08", "https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html", "https://gnupg.org", "https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html", "https://bugs.gentoo.org/show_bug.cgi?id=767814", "https://www.oracle.com//security-alerts/cpujul2021.html"], "cvelist": ["CVE-2021-3345"], "immutableFields": [], "lastseen": "2022-04-26T20:14:19", "viewCount": 54, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-202101-45"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-3345"]}, {"type": "f5", "idList": ["F5:K00498403"]}, {"type": "githubexploit", "idList": ["EC2AFCFD-F205-5519-AC35-727179A57315"]}, {"type": "nessus", "idList": ["LIBGCRYPT_1_9_0.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2021"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-3345"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-3345"]}]}, "score": {"value": 5.6, "vector": "NONE"}, "twitter": {"counter": 9, "modified": "2021-04-28T11:49:17", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1356759076701618183", "text": " NEW: CVE-2021-3345 _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade... (click for more) https://t.co/6FcCxxUH4j?amp=1"}, {"link": "https://twitter.com/schestowitz/status/1356469420428832775", "text": "\"On the security side of things there has been quite a lot happening just the past week. sudo had CVE-2021-3156 and libgcrypt had CVE-2021-3345 which are both are quite severe.\" Don't use latest of crypto libs"}, {"link": "https://twitter.com/WolfgangSesin/status/1358828110003785728", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (Libgcrypt vulnerability CVE-2021-3345) has been published on https://t.co/MrcF7iZgdm?amp=1"}, {"link": "https://twitter.com/FortifiedITLtd/status/1356311372183855106", "text": "CVE-2021-3345\n_gcry_md_block_write in cipher/hash-common.c in Libgcrypt before 1.9.1 has a heap-based buffer overflow when the digest final function sets a large count value. https://"}, {"link": "https://twitter.com/FortifiedITLtd/status/1356311372183855106", "text": "CVE-2021-3345\n_gcry_md_block_write in cipher/hash-common.c in Libgcrypt before 1.9.1 has a heap-based buffer overflow when the digest final function sets a large count value. https://"}, {"link": "https://twitter.com/www_sesin_at/status/1358828107592052739", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (Libgcrypt vulnerability CVE-2021-3345) has been published on https://t.co/b82ehGTnyF?amp=1"}, {"link": "https://twitter.com/slashplus/status/1356342276230811648", "text": "[\u30bf\u30ec]\u30ea\u30ea\u30fc\u30b9\u76f4\u5f8c\u306b\u6df1\u523b\u306a\u8106\u5f31\u6027\u304c\u898b\u3064\u304b\u3063\u305fLibgcrypt 1.9.0\u3001\u30d0\u30fc\u30b8\u30e7\u30f31.9.1\u3078\u306e\u66f4\u65b0\u304c\u547c\u3073\u639b\u3051\u3089\u308c\u308b https://t.co/3SkE1E7Xb7?amp=1 \u6697\u53f7\u30e9\u30a4\u30d6\u30e9\u30eaLibgcrypt 1.9.0\u3067\u6df1\u523b\u306a\u30d2\u30fc\u30d7\u30d0\u30c3\u30d5\u30a1\u30fc\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u8106\u5f31\u6027(CVE-2021-3345)\u304c\u898b\u3064\u304b\u308a\u300129\u65e5\u306b\u4fee\u6b63\u7248\u306e\u30d0\u30fc\u30b8\u30e7\u30f31.9.1\u304chttps://t.co/XfeJmTAO4K?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1417627997918703619", "text": " NEW: CVE-2021-3345 _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade... (click for more) Severity: HIGH https://t.co/6FcCxxUH4j?amp=1"}, {"link": "https://twitter.com/fd0/status/1356861892992458752", "text": "libgcrypt\u306e\u8106\u5f31\u6027\u60c5\u5831(Critical: CVE-2021-3345) - https://t.co/5yYCgsjPxx?amp=1"}]}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-202101-45"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-3345"]}, {"type": "f5", "idList": ["F5:K00498403"]}, {"type": "githubexploit", "idList": ["EC2AFCFD-F205-5519-AC35-727179A57315"]}, {"type": "nessus", "idList": ["LIBGCRYPT_1_9_0.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2021"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-3345"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-3345"]}]}, "exploitation": null, "vulnersScore": 5.6}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:oracle:communications_billing_and_revenue_management:12.0.0.3.0", "cpe:/a:gnupg:libgcrypt:1.9.0"], "cpe23": ["cpe:2.3:a:gnupg:libgcrypt:1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*"], "cwe": ["CWE-787"], "affectedSoftware": [{"cpeName": "gnupg:libgcrypt", "version": "1.9.0", "operator": "eq", "name": "gnupg libgcrypt"}, {"cpeName": "oracle:communications_billing_and_revenue_management", "version": "12.0.0.3.0", "operator": "eq", "name": "oracle communications billing and revenue management"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:gnupg:libgcrypt:1.9.0:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=512c0c75276949f13b6373b5c04f7065af750b08", "name": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=512c0c75276949f13b6373b5c04f7065af750b08", "refsource": "MISC", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html", "name": "https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html", "refsource": "MISC", "tags": ["Mailing List", "Patch", "Vendor Advisory"]}, {"url": "https://gnupg.org", "name": "https://gnupg.org", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html", "name": "https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html", "refsource": "MISC", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "https://bugs.gentoo.org/show_bug.cgi?id=767814", "name": "https://bugs.gentoo.org/show_bug.cgi?id=767814", "refsource": "MISC", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "name": "N/A", "refsource": "N/A", "tags": ["Third Party Advisory"]}]}
{"ubuntucve": [{"lastseen": "2021-11-22T21:23:39", "description": "_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has\na heap-based buffer overflow when the digest final function sets a large\ncount value. It is recommended to upgrade to 1.9.1 or later.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-29T00:00:00", "type": "ubuntucve", "title": "CVE-2021-3345", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3345"], "modified": "2021-01-29T00:00:00", "id": "UB:CVE-2021-3345", "href": "https://ubuntu.com/security/CVE-2021-3345", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2022-02-01T00:00:00", "description": "_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later. ([CVE-2021-3345](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3345>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-08T17:06:00", "type": "f5", "title": "Libgcrypt vulnerability CVE-2021-3345", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3345"], "modified": "2021-02-08T17:06:00", "id": "F5:K00498403", "href": "https://support.f5.com/csp/article/K00498403", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2022-04-14T07:38:23", "description": "_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-29T15:15:00", "type": "debiancve", "title": "CVE-2021-3345", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3345"], "modified": "2021-01-29T15:15:00", "id": "DEBIANCVE:CVE-2021-3345", "href": "https://security-tracker.debian.org/tracker/CVE-2021-3345", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-06-23T14:48:59", "description": "According to its self-reported version number, the libgcrypt application on the remote server is prior to 1.9.1. It is, therefore, affected by a heap-based buffer overflow vulnerability.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-07-21T00:00:00", "type": "nessus", "title": "Libgcrypt < 1.9.1 Heap Buffer Overflow Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3345"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:gnupg:libgcrypt"], "id": "LIBGCRYPT_1_9_0.NASL", "href": "https://www.tenable.com/plugins/nessus/151882", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151882);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2021-3345\");\n script_xref(name:\"IAVA\", value:\"2021-A-0056-S\");\n\n script_name(english:\"Libgcrypt < 1.9.1 Heap Buffer Overflow Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A library installed on the remote server is affected by\na heap based buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the libgcrypt\napplication on the remote server is prior to 1.9.1. It\nis, therefore, affected by a heap-based buffer overflow\nvulnerability.\");\n # https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d0f53fb2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to libgcrypt version 1.9.1 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3345\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnupg:libgcrypt\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"libgcrypt_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Libgcrypt\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app = 'Libgcrypt';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nvar app_info = vcf::get_app_info(app:app);\n\nvar constraints = [{ 'min_version' : '1.9.0', 'fixed_version' : '1.9.1' }];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:56", "description": "Arch Linux Security Advisory ASA-202101-45\n==========================================\n\nSeverity: Critical\nDate : 2021-01-29\nCVE-ID : CVE-2021-3345\nPackage : libgcrypt\nType : arbitrary code execution\nRemote : No\nLink : https://security.archlinux.org/AVG-1505\n\nSummary\n=======\n\nThe package libgcrypt before version 1.9.1-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 1.9.1-1.\n\n# pacman -Syu \"libgcrypt>=1.9.1-1\"\n\nThe problem has been fixed upstream in version 1.9.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n_gcry_md_block_write in cipher/hash-common.c in libgcrypt version 1.9.0\nhas a heap-based buffer overflow when the digest final function sets a\nlarge count value. Just decrypting some data can overflow a heap buffer\nwith attacker controlled data, no verification or signature is\nvalidated before the vulnerability occurs. The issue is fixed in\nversion 1.9.1.\n\nImpact\n======\n\nAn attacker is able to execute arbitrary code on the affected host\nbefore a given signature has been verified.\n\nReferences\n==========\n\nhttps://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html\nhttps://dev.gnupg.org/T5275\nhttps://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=512c0c75276949f13b6373b5c04f7065af750b08\nhttps://security.archlinux.org/CVE-2021-3345", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-29T00:00:00", "type": "archlinux", "title": "[ASA-202101-45] libgcrypt: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3345"], "modified": "2021-01-29T00:00:00", "id": "ASA-202101-45", "href": "https://security.archlinux.org/ASA-202101-45", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2022-06-08T11:10:41", "description": "A flaw was found in libgcrypt. A heap-based buffer overflow in the block buffer management code may lead to memory corruption before any verification is made or signature is validated. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-01T20:56:22", "type": "redhatcve", "title": "CVE-2021-3345", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3345"], "modified": "2022-06-08T08:13:25", "id": "RH:CVE-2021-3345", "href": "https://access.redhat.com/security/cve/cve-2021-3345", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2021-12-10T15:18:17", "description": "# CVE-2021-3345\n\n#### How to build vulnerable libgcrypt\n``` \ngit...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-31T09:28:14", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Gnupg Libgcrypt", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3345"], "modified": "2021-11-06T20:35:29", "id": "EC2AFCFD-F205-5519-AC35-727179A57315", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "oracle": [{"lastseen": "2021-10-22T15:44:17", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 342 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2788740.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-20T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - July 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881", "CVE-2015-0254", "CVE-2016-0762", "CVE-2016-4429", "CVE-2017-14735", "CVE-2017-16931", "CVE-2017-3735", "CVE-2017-5461", "CVE-2017-5637", "CVE-2017-7656", "CVE-2017-7657", "CVE-2017-7658", "CVE-2017-9735", "CVE-2018-0737", "CVE-2018-0739", "CVE-2018-15686", "CVE-2018-21010", "CVE-2018-7160", "CVE-2018-7183", "CVE-2019-0190", "CVE-2019-0201", "CVE-2019-0205", "CVE-2019-0210", "CVE-2019-0219", "CVE-2019-0228", "CVE-2019-10086", "CVE-2019-10173", "CVE-2019-10746", "CVE-2019-11358", "CVE-2019-12260", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12973", "CVE-2019-13990", "CVE-2019-15604", "CVE-2019-15605", "CVE-2019-15606", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17195", "CVE-2019-17531", "CVE-2019-17543", "CVE-2019-17545", "CVE-2019-17566", "CVE-2019-20330", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2897", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5063", "CVE-2019-5064", "CVE-2020-10543", "CVE-2020-10683", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11612", "CVE-2020-11868", "CVE-2020-11973", "CVE-2020-11979", "CVE-2020-11987", "CVE-2020-11988", "CVE-2020-11998", "CVE-2020-12723", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13949", "CVE-2020-13956", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-14756", "CVE-2020-15389", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1967", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24553", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-2555", "CVE-2020-25638", "CVE-2020-25648", "CVE-2020-25649", "CVE-2020-2604", "CVE-2020-26217", "CVE-2020-26870", "CVE-2020-27193", "CVE-2020-27216", "CVE-2020-27218", "CVE-2020-27783", "CVE-2020-27814", "CVE-2020-27841", "CVE-2020-27842", "CVE-2020-27843", "CVE-2020-27844", "CVE-2020-27845", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-28928", "CVE-2020-29582", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-5258", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-7016", "CVE-2020-7017", "CVE-2020-7712", "CVE-2020-7733", "CVE-2020-7760", "CVE-2020-8174", "CVE-2020-8203", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8554", "CVE-2020-8908", "CVE-2020-9484", "CVE-2020-9489", "CVE-2021-20190", "CVE-2021-20227", "CVE-2021-21275", "CVE-2021-21290", "CVE-2021-21341", "CVE-2021-21342", "CVE-2021-21343", "CVE-2021-21344", "CVE-2021-21345", "CVE-2021-21346", "CVE-2021-21347", "CVE-2021-21348", "CVE-2021-21349", "CVE-2021-21350", "CVE-2021-21351", "CVE-2021-21409", "CVE-2021-22112", "CVE-2021-22118", "CVE-2021-2244", "CVE-2021-22876", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-22890", "CVE-2021-22897", "CVE-2021-22898", "CVE-2021-22901", "CVE-2021-2323", "CVE-2021-2324", "CVE-2021-2326", "CVE-2021-2328", "CVE-2021-2329", "CVE-2021-2330", "CVE-2021-2333", "CVE-2021-23336", "CVE-2021-2334", "CVE-2021-2335", "CVE-2021-2336", "CVE-2021-2337", "CVE-2021-2338", "CVE-2021-2339", "CVE-2021-2340", "CVE-2021-2341", "CVE-2021-2342", "CVE-2021-2343", "CVE-2021-2344", "CVE-2021-2345", "CVE-2021-2346", "CVE-2021-2347", "CVE-2021-2348", "CVE-2021-2349", "CVE-2021-2350", "CVE-2021-2351", "CVE-2021-2352", "CVE-2021-2353", "CVE-2021-2354", "CVE-2021-2355", "CVE-2021-2356", "CVE-2021-2357", "CVE-2021-2358", "CVE-2021-2359", "CVE-2021-2360", "CVE-2021-2361", "CVE-2021-2362", "CVE-2021-2363", "CVE-2021-2364", "CVE-2021-2365", "CVE-2021-2366", "CVE-2021-2367", "CVE-2021-2368", "CVE-2021-2369", "CVE-2021-2370", "CVE-2021-2371", "CVE-2021-2372", "CVE-2021-2373", "CVE-2021-2374", "CVE-2021-2375", "CVE-2021-2376", "CVE-2021-2377", "CVE-2021-2378", "CVE-2021-2380", "CVE-2021-2381", "CVE-2021-2382", "CVE-2021-2383", "CVE-2021-23839", "CVE-2021-2384", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2385", "CVE-2021-2386", "CVE-2021-2387", "CVE-2021-2388", "CVE-2021-2389", "CVE-2021-2390", "CVE-2021-2391", "CVE-2021-2392", "CVE-2021-2393", "CVE-2021-2394", "CVE-2021-2395", "CVE-2021-2396", "CVE-2021-2397", "CVE-2021-2398", "CVE-2021-2399", "CVE-2021-2400", "CVE-2021-2401", "CVE-2021-2402", "CVE-2021-2403", "CVE-2021-2404", "CVE-2021-2405", "CVE-2021-2406", "CVE-2021-2407", "CVE-2021-2408", "CVE-2021-2409", "CVE-2021-2410", "CVE-2021-2411", "CVE-2021-2412", "CVE-2021-24122", "CVE-2021-2415", "CVE-2021-2417", "CVE-2021-2418", "CVE-2021-2419", "CVE-2021-2420", "CVE-2021-2421", "CVE-2021-2422", "CVE-2021-2423", "CVE-2021-2424", "CVE-2021-2425", "CVE-2021-2426", "CVE-2021-2427", "CVE-2021-2428", "CVE-2021-2429", "CVE-2021-2430", "CVE-2021-2431", "CVE-2021-2432", "CVE-2021-2433", "CVE-2021-2434", "CVE-2021-2435", "CVE-2021-2436", "CVE-2021-2437", "CVE-2021-2438", "CVE-2021-2439", "CVE-2021-2440", "CVE-2021-2441", "CVE-2021-2442", "CVE-2021-2443", "CVE-2021-2444", "CVE-2021-2445", "CVE-2021-2446", "CVE-2021-2447", "CVE-2021-2448", "CVE-2021-2449", "CVE-2021-2450", "CVE-2021-2451", "CVE-2021-2452", "CVE-2021-2453", "CVE-2021-2454", "CVE-2021-2455", "CVE-2021-2456", "CVE-2021-2457", "CVE-2021-2458", "CVE-2021-2460", "CVE-2021-2462", "CVE-2021-2463", "CVE-2021-25122", "CVE-2021-25329", "CVE-2021-26117", "CVE-2021-26271", "CVE-2021-26272", "CVE-2021-27568", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28041", "CVE-2021-29921", "CVE-2021-30369", "CVE-2021-30640", "CVE-2021-3156", "CVE-2021-3177", "CVE-2021-31811", "CVE-2021-33037", "CVE-2021-3345", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-3520", "CVE-2021-3560"], "modified": "2021-09-03T00:00:00", "id": "ORACLE:CPUJUL2021", "href": "https://www.oracle.com/security-alerts/cpujul2021.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}