Lucene search

[email protected]NVD:CVE-2021-3798

HistoryAug 23, 2022 - 4:15 p.m.

CVE-2021-3798

2022-08-2316:15:09

CWE-200

[email protected]

web.nvd.nist.gov

opencryptoki

flaw

extraction

ec key

invalid curve attack

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

15.5%

JSON

A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.

Affected configurations

Nvd

Node

opencryptoki_projectopencryptokiRange<3.17.0

VendorProductVersionCPE
opencryptoki_projectopencryptoki*cpe:2.3:a:opencryptoki_project:opencryptoki:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opencryptoki_project	opencryptoki	*	cpe:2.3:a:opencryptoki_project:opencryptoki::::::::

References

access.redhat.com/security/cve/CVE-2021-3798

bugzilla.redhat.com/show_bug.cgi?id=1990591

github.com/opencryptoki/opencryptoki/commit/4e3b43c3d8844402c04a66b55c6c940f965109f0

github.com/opencryptoki/opencryptoki/pull/402

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

15.5%

JSON

Related for NVD:CVE-2021-3798

openvas2 cvelist1 rocky1 cbl_mariner1 cve1 prion1 redhatcve1 veracode1 osv1 debiancve1 rosalinux1 ubuntucve1 fedora1