Lucene search

[email protected]NVD:CVE-2021-3446

HistoryMar 25, 2021 - 7:15 p.m.

CVE-2021-3446

2021-03-2519:15:14

CWE-330

CWE-327

[email protected]

web.nvd.nist.gov

flaw

libtpms

data confidentiality

openssl

vulnerability

cipher

encryption

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

12.6%

JSON

A flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality.

Affected configurations

Nvd

Node

libtpms_projectlibtpmsRange<0.8.2

Node

redhatenterprise_linuxMatch8.0advanced_virtualization

Node

fedoraprojectfedoraMatch33

VendorProductVersionCPE
libtpms_projectlibtpms*cpe:2.3:a:libtpms_project:libtpms:*:*:*:*:*:*:*:*
redhatenterprise_linux8.0cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
fedoraprojectfedora33cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
libtpms_project	libtpms	*	cpe:2.3:a:libtpms_project:libtpms::::::::
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0::::advanced_virtualization:::
fedoraproject	fedora	33	cpe:2.3:o:fedoraproject:fedora:33:::::::*