{
  "threat_severity" : "Moderate",
  "public_date" : "2019-10-02T00:00:00Z",
  "bugzilla" : {
    "description" : "libgcrypt: ECDSA timing attack allowing private key leak",
    "id" : "1764018",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1764018"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-362",
  "details" : [ "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", "A timing attack was found in the way ECCDSA was implemented in libgcrypt. A man-in-the-middle attacker could use this attack during signature generation to recover the private key. This attack is only feasible when the attacker is local to the machine where the signature is being generated. Attacks over the network or via the internet are not feasible." ],
  "statement" : "The versions of libgcrypt shipped with Red Hat Enterprise Linux 5, 6 and 7 do not support ECC, therefore they are not affected by this flaw.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4482",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "libgcrypt-0:1.8.5-4.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "libgcrypt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "libgcrypt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "libgcrypt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-13627\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-13627\nhttps://dev.gnupg.org/T4683\nhttps://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5" ],
  "name" : "CVE-2019-13627",
  "csaw" : false
}