4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.05 Low
EPSS
Percentile
92.9%
Severity: High
Date : 2019-12-06
CVE-ID : CVE-2019-14318
Package : crypto++
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-1046
The package crypto++ before version 8.2.0-2 is vulnerable to private
key recovery.
Upgrade to 8.2.0-2.
The problem has been fixed upstream but no release is available yet.
None.
A vulnerability has been found in the ECDSA/EdDSA implementation of
crypto++ up to 8.2.0, allowing for practical recovery of the long-term
private key.
An attacker might be able to recover long-term private key by measuring
the duration of hundreds to thousands of signing operations of known
messages.
https://seclists.org/oss-sec/2019/q4/3
https://minerva.crocs.fi.muni.cz/
https://github.com/weidai11/cryptopp/issues/869
https://github.com/weidai11/cryptopp/pull/870/commits/80c59bcdb251043f27eef95a4f31224c4615c3ec
https://github.com/weidai11/cryptopp/commit/c9ef9420e762
https://security.archlinux.org/CVE-2019-14318
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.05 Low
EPSS
Percentile
92.9%