Information disclosure in libgcrypt (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2013-4242 |
| CWE-ID | CWE-200 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
libgcrypt (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU32638
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2013-4242
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.
MitigationInstall update from vendor's website.
Vulnerable software versionslibgcrypt (Alpine package): 1.4.5-r0 - 1.5.2-r0
CPE2.3- cpe:2.3:o:alpine:libgcrypt_alpine_package:1.4.5-r0:*:*:*:*:alpine_linux:*:1.10
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1.4.6-r0:*:*:*:*:alpine_linux:*:2.0
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1.5.0-r0:*:*:*:*:alpine_linux:*:2.3
https://git.alpinelinux.org/aports/commit/?id=6e323da51f93cc5ca6159bc38b4213ca2c50d915
https://git.alpinelinux.org/aports/commit/?id=d8160ad518661bfb786e175f942fb4371446953c
https://git.alpinelinux.org/aports/commit/?id=b118fe90a7bc4d92a90c96ca681d9650d794ed44
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
