It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Local

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:L/AC:H/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Canonical
  • Ubuntu Linux
Debian
  • Debian Linux
Libgcrypt20 Project
  • Libgcrypt20
Opensuse
  • Leap
Redhat
  • Enterprise Linux

Configuration 1 [-]

OR cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:a:libgcrypt20_project:libgcrypt20:1.6.3-2\+deb8u4:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:a:libgcrypt20_project:libgcrypt20:1.7.6-2\+deb9u3:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:a:libgcrypt20_project:libgcrypt20:1.8.4-5:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 8
libgcrypt-0:1.8.5-4.el8 cpe:/o:redhat:enterprise_linux:8 RHSA-2020:4482 2020-11-04T00:00:00Z
References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00018.html cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2019/10/02/2 cve-icon cve-icon
https://dev.gnupg.org/T4683 cve-icon
https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5 cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2020/01/msg00001.html cve-icon cve-icon
https://minerva.crocs.fi.muni.cz/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-13627 cve-icon
https://security-tracker.debian.org/tracker/CVE-2019-13627 cve-icon cve-icon
https://security.gentoo.org/glsa/202003-32 cve-icon cve-icon
https://usn.ubuntu.com/4236-1/ cve-icon cve-icon
https://usn.ubuntu.com/4236-2/ cve-icon cve-icon
https://usn.ubuntu.com/4236-3/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-13627 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-25T14:44:45

Updated: 2024-08-04T23:57:39.524Z

Reserved: 2019-07-17T00:00:00

Link: CVE-2019-13627

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2019-09-25T15:15:11.877

Modified: 2021-07-21T11:39:23.747

Link: CVE-2019-13627

cve-icon Redhat

Severity : Moderate

Publid Date: 2019-10-02T00:00:00Z

Links: CVE-2019-13627 - Bugzilla