{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-3580", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T17:01:06.534Z", "dateReserved": "2021-06-04T00:00:00", "datePublished": "2021-08-05T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-01-16T15:06:19.141036"}, "descriptions": [{"lang": "en", "value": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service."}], "affected": [{"vendor": "n/a", "product": "nettle", "versions": [{"version": "nettle 3.7.3", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967983"}, {"name": "[debian-lts-announce] 20210918 [SECURITY] [DLA 2760-1] nettle security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html"}, {"url": "https://security.netapp.com/advisory/ntap-20211104-0006/"}, {"name": "GLSA-202401-24", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202401-24"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20", "cweId": "CWE-20"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:06.534Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967983", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20210918 [SECURITY] [DLA 2760-1] nettle security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html"}, {"url": "https://security.netapp.com/advisory/ntap-20211104-0006/", "tags": ["x_transferred"]}, {"name": "GLSA-202401-24", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202401-24"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nettle_project:nettle:*:*:*:*:*:*:*:*", "matchCriteriaId": "F76873D4-2279-47A8-BE90-A69BB90294CB", "versionEndExcluding": "3.7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service."}, {"lang": "es", "value": "Se ha encontrado un fallo en la manera en que las funciones de descifrado RSA de Nettle manejan el texto cifrado especialmente dise\u00f1ado. Un atacante podr\u00eda usar este fallo para proporcionar un texto cifrado manipulado, conllevando al bloqueo de la aplicaci\u00f3n y la denegaci\u00f3n de servicio"}], "id": "CVE-2021-3580", "lastModified": "2024-01-16T15:15:08.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-05T21:15:12.853", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967983"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/202401-24"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211104-0006/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank the GNU Nettle project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:4451", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnutls-0:3.6.16-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4451", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nettle-0:3.4.1-7.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4451", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnutls-0:3.6.16-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4451", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "nettle-0:3.4.1-7.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}], "bugzilla": {"description": "nettle: Remote crash in RSA decryption via manipulated ciphertext", "id": "1967983", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1967983"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.", "A flaw was found in nettle in the way its RSA decryption functions handle specially crafted ciphertext. This flaw allows an attacker to provide a manipulated ciphertext, leading to an application crash and a denial of service."], "mitigation": {"lang": "en:us", "value": "As per upstream: For applications that want to support older versions of nettle, the bug can be worked around by adding a check that the RSA ciphertext is in the range 0 < ciphertext < n, before attempting to decrypt it."}, "name": "CVE-2021-3580", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "nettle", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mingw-nettle", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nettle", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-06-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3580\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3580"], "threat_severity": "Moderate", "upstream_fix": "nettle 3.7.3"}