CVE-2021-40529
First published: Mon Sep 06 2021(Updated: )
The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Botan Project Botan | <=2.18.1 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Mozilla Thunderbird | <91.12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://eprint.iacr.org/2021/923
- https://github.com/randombit/botan/pull/2790
- https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
- https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/72NB4OLD3VHJC3YF3PEP2HKF6BYURPAO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPHGYWNJQKWLTUWBNSFB4F66MQDIL3IB/
- https://security.gentoo.org/glsa/202208-14
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPHGYWNJQKWLTUWBNSFB4F66MQDIL3IB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/72NB4OLD3VHJC3YF3PEP2HKF6BYURPAO/
Frequently Asked Questions
What is CVE-2021-40529?
CVE-2021-40529 is a vulnerability in the ElGamal implementation in Botan through 2.18.1, which is used in Thunderbird and other products, allowing plaintext recovery.
Which software is affected by CVE-2021-40529?
Botan through 2.18.1, Thunderbird, Fedora 34, and Fedora 35 are affected by CVE-2021-40529.
What is the severity of CVE-2021-40529?
The severity of CVE-2021-40529 is medium with a CVSS (Common Vulnerability Scoring System) score of 5.9.
How can I fix CVE-2021-40529?
To fix CVE-2021-40529, update Botan to version 2.18.2 or later and update Thunderbird to version 91.13.0 or later.
Where can I find more information about CVE-2021-40529?
You can find more information about CVE-2021-40529 at the following references: [1](https://eprint.iacr.org/2021/923), [2](https://github.com/randombit/botan/pull/2790), [3](https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1).
- collector/nvd-index
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/botan project
- canonical/botan project botan
- version/botan project botan/2.18.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/mozilla
- canonical/mozilla thunderbird