CVE-2021-40529 - log back

CVE-2021-40529 edited at 25 Oct 2021 14:02:45
Description
- The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
+ The ElGamal implementation in Botan before version 2.18.2, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
References
https://eprint.iacr.org/2021/923
https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
https://github.com/randombit/botan/pull/2790
- https://github.com/randombit/botan/commit/9a23e4e3bc3966340531f2ff608fa9d33b5185a2
+ https://github.com/randombit/botan/commit/b031bd90d4e888e886d23dccd4f60a2209edbe00
CVE-2021-40529 edited at 09 Sep 2021 12:46:24
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
References
+ https://eprint.iacr.org/2021/923
+ https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
+ https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
+ https://github.com/randombit/botan/pull/2790
+ https://github.com/randombit/botan/commit/9a23e4e3bc3966340531f2ff608fa9d33b5185a2
Notes
CVE-2021-40529 created at 09 Sep 2021 12:45:02