Search for vulnerabilities
Vulnerability details: VCID-2rt9-444r-nfbz
Vulnerability ID VCID-2rt9-444r-nfbz
Aliases CVE-2019-1547
Summary Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Status Published
Exploitability 0.5
Weighted Severity 5.0
Risk 2.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-602 Client-Side Enforcement of Server-Side Security
System Score Found at
ssvc Track http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
ssvc Track http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
ssvc Track http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
ssvc Track http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
ssvc Track http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
cvssv3 5.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1547.json
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
epss 0.00142 https://api.first.org/data/v1/epss?cve=CVE-2019-1547
ssvc Track https://arxiv.org/abs/1909.01785
cvssv3 5.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
ssvc Track https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46
ssvc Track https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8
ssvc Track https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
ssvc Track https://kc.mcafee.com/corporate/index?page=content&id=SB10365
ssvc Track https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
cvssv2 1.9 https://nvd.nist.gov/vuln/detail/CVE-2019-1547
cvssv3.1 4.7 https://nvd.nist.gov/vuln/detail/CVE-2019-1547
ssvc Track https://seclists.org/bugtraq/2019/Oct/0
ssvc Track https://seclists.org/bugtraq/2019/Oct/1
ssvc Track https://seclists.org/bugtraq/2019/Sep/25
ssvc Track https://security.gentoo.org/glsa/201911-04
ssvc Track https://security.netapp.com/advisory/ntap-20190919-0002/
ssvc Track https://security.netapp.com/advisory/ntap-20200122-0002/
ssvc Track https://security.netapp.com/advisory/ntap-20200416-0003/
ssvc Track https://security.netapp.com/advisory/ntap-20240621-0006/
ssvc Track https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS
ssvc Track https://usn.ubuntu.com/4376-1/
ssvc Track https://usn.ubuntu.com/4376-2/
ssvc Track https://usn.ubuntu.com/4504-1/
ssvc Track https://www.debian.org/security/2019/dsa-4539
ssvc Track https://www.debian.org/security/2019/dsa-4540
ssvc Track https://www.openssl.org/news/secadv/20190910.txt
ssvc Track https://www.oracle.com/security-alerts/cpuapr2020.html
ssvc Track https://www.oracle.com/security-alerts/cpujan2020.html
ssvc Track https://www.oracle.com/security-alerts/cpujul2020.html
ssvc Track https://www.oracle.com/security-alerts/cpuoct2020.html
ssvc Track https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
ssvc Track https://www.tenable.com/security/tns-2019-08
ssvc Track https://www.tenable.com/security/tns-2019-09
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1547.json
https://api.first.org/data/v1/epss?cve=CVE-2019-1547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.tenable.com/security/tns-2019-08
https://www.tenable.com/security/tns-2019-09
0 https://seclists.org/bugtraq/2019/Oct/0
1 https://seclists.org/bugtraq/2019/Oct/1
1752090 https://bugzilla.redhat.com/show_bug.cgi?id=1752090
1909.01785 https://arxiv.org/abs/1909.01785
20190910.txt https://www.openssl.org/news/secadv/20190910.txt
201911-04 https://security.gentoo.org/glsa/201911-04
25 https://seclists.org/bugtraq/2019/Sep/25
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
CVE-2019-1547 https://nvd.nist.gov/vuln/detail/CVE-2019-1547
dsa-4539 https://www.debian.org/security/2019/dsa-4539
dsa-4540 https://www.debian.org/security/2019/dsa-4540
GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
index?page=content&id=SB10365 https://kc.mcafee.com/corporate/index?page=content&id=SB10365
K73422160?utm_source=f5support&amp%3Butm_medium=RSS https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS
msg00012.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
msg00016.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
msg00026.html https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
msg00054.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
msg00072.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
ntap-20190919-0002 https://security.netapp.com/advisory/ntap-20190919-0002/
ntap-20200122-0002 https://security.netapp.com/advisory/ntap-20200122-0002/
ntap-20200416-0003 https://security.netapp.com/advisory/ntap-20200416-0003/
ntap-20240621-0006 https://security.netapp.com/advisory/ntap-20240621-0006/
?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46 https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46
?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8 https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8
?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
RHSA-2020:1336 https://access.redhat.com/errata/RHSA-2020:1336
RHSA-2020:1337 https://access.redhat.com/errata/RHSA-2020:1337
RHSA-2020:1840 https://access.redhat.com/errata/RHSA-2020:1840
Slackware-Security-Advisory-openssl-Updates.html http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
USN-4376-1 https://usn.ubuntu.com/4376-1/
USN-4376-2 https://usn.ubuntu.com/4376-2/
USN-4504-1 https://usn.ubuntu.com/4504-1/
ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
No exploits are available.
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1547.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://arxiv.org/abs/1909.01785
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://kc.mcafee.com/corporate/index?page=content&id=SB10365
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-1547
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-1547
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://seclists.org/bugtraq/2019/Oct/0
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://seclists.org/bugtraq/2019/Oct/1
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://seclists.org/bugtraq/2019/Sep/25
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://security.gentoo.org/glsa/201911-04
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://security.netapp.com/advisory/ntap-20190919-0002/
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://security.netapp.com/advisory/ntap-20200122-0002/
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://security.netapp.com/advisory/ntap-20200416-0003/
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://security.netapp.com/advisory/ntap-20240621-0006/
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://usn.ubuntu.com/4376-1/
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://usn.ubuntu.com/4376-2/
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://usn.ubuntu.com/4504-1/
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.debian.org/security/2019/dsa-4539
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.debian.org/security/2019/dsa-4540
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.openssl.org/news/secadv/20190910.txt
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.oracle.com/security-alerts/cpuapr2020.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.oracle.com/security-alerts/cpujan2020.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.oracle.com/security-alerts/cpujul2020.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.oracle.com/security-alerts/cpuoct2020.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.tenable.com/security/tns-2019-08
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-19T19:04:18Z/ Found at https://www.tenable.com/security/tns-2019-09
Exploit Prediction Scoring System (EPSS)
Percentile 0.35141
EPSS Score 0.00142
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:29:49.866556+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.17/community.json 37.0.0