Lucene search

MitreCVE-2021-40529

HistorySep 06, 2021 - 7:15 p.m.

CVE-2021-40529

2021-09-0619:15:07

CWE-327

mitre

web.nvd.nist.gov

110

botan

elgamal

plaintext recovery

cve-2021-40529

thunderbird

nvd

openpgp

cryptographic libraries

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.003

Percentile

68.7%

JSON

The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver’s public key, the generator defined by the receiver’s public key, and the sender’s ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

Affected configurations

Nvd

Node

botan_projectbotanRange≤2.18.1

Node

fedoraprojectfedoraMatch34

fedoraprojectfedoraMatch35

Node

mozillathunderbirdRange<91.12.0

VendorProductVersionCPE
botan_projectbotan*cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
fedoraprojectfedora35cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
botan_project	botan	*	cpe:2.3:a:botan_project:botan::::::::
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*
mozilla	thunderbird	*	cpe:2.3:a:mozilla:thunderbird::::::::