Search for vulnerabilities
Vulnerability details: VCID-d91d-8t7r-aaag
Vulnerability ID VCID-d91d-8t7r-aaag
Aliases CVE-2018-0495
Summary Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-203 Observable Discrepancy
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-0495.html
cvssv3.1 7.8 https://access.redhat.com/errata/RHSA-2018:3505
generic_textual HIGH https://access.redhat.com/errata/RHSA-2018:3505
rhas Important https://access.redhat.com/errata/RHSA-2019:1543
rhas Moderate https://access.redhat.com/errata/RHSA-2019:2237
rhas Important https://access.redhat.com/errata/RHSA-2020:1267
rhas Important https://access.redhat.com/errata/RHSA-2020:1345
rhas Important https://access.redhat.com/errata/RHSA-2020:1461
cvssv3 5.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-0495.json
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00077 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00100 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00100 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00100 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00100 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00276 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00281 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00313 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00324 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00324 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00324 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00324 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00324 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00324 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.00367 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
epss 0.08185 https://api.first.org/data/v1/epss?cve=CVE-2018-0495
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
generic_textual Low https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.38_release_notes
cvssv3 5.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual Low https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html
cvssv2 1.9 https://nvd.nist.gov/vuln/detail/CVE-2018-0495
cvssv3 4.7 https://nvd.nist.gov/vuln/detail/CVE-2018-0495
archlinux High https://security.archlinux.org/AVG-719
generic_textual Low https://ubuntu.com/security/notices/USN-3689-1
generic_textual Low https://ubuntu.com/security/notices/USN-3689-2
generic_textual Low https://ubuntu.com/security/notices/USN-3692-1
generic_textual Low https://ubuntu.com/security/notices/USN-3692-2
generic_textual Medium https://ubuntu.com/security/notices/USN-3850-1
generic_textual Medium https://ubuntu.com/security/notices/USN-3850-2
generic_textual Medium https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
cvssv3.1 9.8 https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
generic_textual LOW https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-0495.html
https://access.redhat.com/errata/RHSA-2018:3221
https://access.redhat.com/errata/RHSA-2018:3505
https://access.redhat.com/errata/RHSA-2019:1296
https://access.redhat.com/errata/RHSA-2019:1297
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-0495.json
https://api.first.org/data/v1/epss?cve=CVE-2018-0495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.38_release_notes
https://dev.gnupg.org/T4011
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=9010d1576e278a4274ad3f4aa15776c28f6ba965
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965
https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html
https://ubuntu.com/security/notices/USN-3689-1
https://ubuntu.com/security/notices/USN-3689-2
https://ubuntu.com/security/notices/USN-3692-1
https://ubuntu.com/security/notices/USN-3692-2
https://ubuntu.com/security/notices/USN-3850-1
https://ubuntu.com/security/notices/USN-3850-2
https://usn.ubuntu.com/3689-1/
https://usn.ubuntu.com/3689-2/
https://usn.ubuntu.com/3692-1/
https://usn.ubuntu.com/3692-2/
https://usn.ubuntu.com/3850-1/
https://usn.ubuntu.com/3850-2/
https://www.debian.org/security/2018/dsa-4231
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
http://www.securitytracker.com/id/1041144
http://www.securitytracker.com/id/1041147
ASA-201806-10 https://security.archlinux.org/ASA-201806-10
AVG-719 https://security.archlinux.org/AVG-719
cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:traffic_director:11.1.1.9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:traffic_director:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
CVE-2018-0495 https://nvd.nist.gov/vuln/detail/CVE-2018-0495
RHBA-2020:0547 https://bugzilla.redhat.com/show_bug.cgi?id=1591163
RHSA-2019:1543 https://access.redhat.com/errata/RHSA-2019:1543
RHSA-2019:2237 https://access.redhat.com/errata/RHSA-2019:2237
RHSA-2020:1267 https://access.redhat.com/errata/RHSA-2020:1267
RHSA-2020:1345 https://access.redhat.com/errata/RHSA-2020:1345
RHSA-2020:1461 https://access.redhat.com/errata/RHSA-2020:1461
No exploits are available.
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2018:3505
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-0495.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-0495
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-0495
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.34083
EPSS Score 0.00077
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.