{
  "threat_severity" : "Moderate",
  "public_date" : "2021-06-07T00:00:00Z",
  "bugzilla" : {
    "description" : "nettle: Remote crash in RSA decryption via manipulated ciphertext",
    "id" : "1967983",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1967983"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.", "A flaw was found in nettle in the way its RSA decryption functions handle specially crafted ciphertext.  This flaw allows an attacker to provide a manipulated ciphertext, leading to an application crash and a denial of service." ],
  "acknowledgement" : "Red Hat would like to thank the GNU Nettle project for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "gnutls-0:3.6.16-4.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nettle-0:3.4.1-7.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "gnutls-0:3.6.16-4.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "nettle-0:3.4.1-7.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "nettle",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "mingw-nettle",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nettle",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3580\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3580" ],
  "name" : "CVE-2021-3580",
  "mitigation" : {
    "value" : "As per upstream: For applications that want to support older versions of nettle, the bug can be worked around by adding a check that the RSA ciphertext is in the range 0 < ciphertext < n, before attempting to decrypt it.",
    "lang" : "en:us"
  },
  "csaw" : false
}