5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.7%
Software: opencryptoki 3.14.0
OS: ROSA Virtualization 2.1
package_evr_string: opencryptoki-3.14.0
CVE-ID: CVE-2021-3798
BDU-ID:
CVE-Crit: MEDIUM.
CVE-DESC.: The openCryptoki software token does not check if the EC key is valid when the EC key is created with C_CreateObject and when C_DeriveKey is used with publicly available ECDH data. This could allow an attacker to extract the private key by performing an invalid curve attack.
CVE-STATUS: Not Relevant
CVE-REV:
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ROSA | any | noarch | opencryptoki | < 3.14.0 | UNKNOWN |
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.7%