{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-08-17T00:00:00", "descriptions": [{"lang": "en", "value": "The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "DSA-3650", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3650"}, {"name": "GLSA-201612-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201612-01"}, {"name": "USN-3064-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-3064-1"}, {"name": "DSA-3649", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3649"}, {"name": "GLSA-201610-04", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201610-04"}, {"name": "1036635", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1036635"}, {"name": "[gnupg-announce] 20160817 [Announce] Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-6316]", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=blob_plain%3Bf=NEWS"}, {"name": "RHSA-2016:2674", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2674.html"}, {"name": "92527", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/92527"}, {"name": "USN-3065-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-3065-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2016-6313", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3650", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3650"}, {"name": "GLSA-201612-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201612-01"}, {"name": "USN-3064-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-3064-1"}, {"name": "DSA-3649", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3649"}, {"name": "GLSA-201610-04", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201610-04"}, {"name": "1036635", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1036635"}, {"name": "[gnupg-announce] 20160817 [Announce] Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-6316]", "refsource": "MLIST", "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html"}, {"name": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob_plain;f=NEWS", "refsource": "CONFIRM", "url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob_plain;f=NEWS"}, {"name": "RHSA-2016:2674", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2674.html"}, {"name": "92527", "refsource": "BID", "url": "http://www.securityfocus.com/bid/92527"}, {"name": "USN-3065-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-3065-1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:29:18.219Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3650", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3650"}, {"name": "GLSA-201612-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201612-01"}, {"name": "USN-3064-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-3064-1"}, {"name": "DSA-3649", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3649"}, {"name": "GLSA-201610-04", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201610-04"}, {"name": "1036635", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1036635"}, {"name": "[gnupg-announce] 20160817 [Announce] Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-6316]", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=blob_plain%3Bf=NEWS"}, {"name": "RHSA-2016:2674", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2674.html"}, {"name": "92527", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/92527"}, {"name": "USN-3065-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-3065-1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-6313", "datePublished": "2016-12-13T20:00:00", "dateReserved": "2016-07-26T00:00:00", "dateUpdated": "2024-08-06T01:29:18.219Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B83822B-BC72-455D-A350-7DC9545E14A9", "versionEndIncluding": "1.5.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "3EC9966B-2C22-4DC5-BAFA-8BFFACF03048", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "C7D6A352-8F0D-4C4E-9D99-E47E63C2800C", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "204BCDDC-1B38-4905-BD99-38E712FCB136", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "44EDEC6E-B053-4162-B5BF-45975B457E2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "84491FE3-2FF4-4953-B0AC-57C4F3BE409A", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "2DA8E460-8258-46D7-875E-DC389652392A", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "A52C9BAF-4EE6-4371-A0B7-0DB0CE429D64", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "68024F0D-19A3-4E20-B2A6-4E65278777F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "0A012DAB-3F4B-4236-9B6A-16B38B3F4ED9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD2DC7AC-70A6-433A-9104-2BF05CA1F02D", "versionEndIncluding": "1.4.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits."}, {"lang": "es", "value": "Las funciones de mezcla en el generador de n\u00fameros aleatorios en Libgcrypt en versiones anteriores a 1.5.6, 1.6.x en versiones anteriores a 1.6.6 y 1.7.x en versiones anteriores a 1.7.3 y GnuPG en versiones anteriores a 1.4.21 hacen m\u00e1s f\u00e1cil para atacantes obtener valores de 160 bits aprovechando el conocimiento de los 4640 bits previos."}], "id": "CVE-2016-6313", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-12-13T20:59:04.267", "references": [{"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-2674.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2016/dsa-3649"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2016/dsa-3650"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/92527"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1036635"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-3064-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-3065-1"}, {"source": "secalert@redhat.com", "url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=blob_plain%3Bf=NEWS"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201610-04"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201612-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-2674.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2016/dsa-3649"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2016/dsa-3650"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/92527"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1036635"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-3064-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-3065-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=blob_plain%3Bf=NEWS"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201610-04"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201612-01"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Felix D\u00f6rre and Vladimir Klebanov for reporting this issue.", "affected_release": [{"advisory": "RHSA-2016:2674", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "libgcrypt-0:1.4.5-12.el6_8", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-11-08T00:00:00Z"}, {"advisory": "RHSA-2016:2674", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "libgcrypt-0:1.5.3-13.el7_3.1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-11-08T00:00:00Z"}], "bugzilla": {"description": "libgcrypt: PRNG output is predictable", "id": "1366105", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1366105"}, "csaw": false, "cvss": {"cvss_base_score": "4.0", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "status": "verified"}, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "details": ["The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.", "A design flaw was found in the libgcrypt PRNG (Pseudo-Random Number Generator). An attacker able to obtain the first 580 bytes of the PRNG output could predict the following 20 bytes."], "name": "CVE-2016-6313", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "libgcrypt", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2016-08-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-6313\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-6313\nhttps://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html"], "threat_severity": "Moderate"}

{}