5.5

CVE-2021-3446

EPSS 0.04%
Published 25.03.2021 19:15:14
Last modified 21.11.2024 06:21:32
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality.

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Libtpms Project ≫ Libtpms Version < 0.8.2

Redhat ≫ Enterprise Linux Version8.0 SwEditionadvanced_virtualization

Fedoraproject ≫ Fedora Version33

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.081

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

https://bugzilla.redhat.com/show_bug.cgi?id=1939664

Patch

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2021-3446

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-3446

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-3446

EUVD