Information disclosure in gnupg1 (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2014-3591 |
| CWE-ID | CWE-200 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
gnupg1 (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU30571
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-3591
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.
MitigationInstall update from vendor's website.
Vulnerable software versionsgnupg1 (Alpine package): 1.4.17-r0 - 1.4.19-r0
CPE2.3- cpe:2.3:a:alpine:gnupg1_alpine_package:1.4.17-r0:*:*:*:*:alpine_linux:*:2.7
- cpe:2.3:a:alpine:gnupg1_alpine_package:1.4.18-r0:*:*:*:*:alpine_linux:*:3.1
- cpe:2.3:a:alpine:gnupg1_alpine_package:1.4.19-r0:*:*:*:*:alpine_linux:*:3.0
https://git.alpinelinux.org/aports/commit/?id=b2a97d70c3640757371cbf2be684f703a1cb6114
https://git.alpinelinux.org/aports/commit/?id=b580e2c8b6b04523d564c0a6c8b54fcf08e5203c
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
