CVE-2018-6829
CVE Details
Visit the official vulnerability details page for CVE-2018-6829 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
libgcrypt20
NIST CVE Summary
cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.
CVE Severity
Our Official Summary
cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. This is not a security flaw in libgcrypt. However if an application uses The El-gamal algorithm implemented by libgcrypt in a particular way than the application would be vulnerable to security flaw(s).
There is no documented instance of the third party images where this vulnerability is reported being affected by this flaw. In order to exploit this vulnerability, an attacker needs to get privileges access to this container and execute code which the container have controls in place to prevent. Impact of exploitation is also low, since any denial of service will be restricted to the container function.
Status
Ongoing
Affected Products & Versions
Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
---|---|---|---|---|
4.5.15 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
4.5.11 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
4.5.10 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
4.5.8 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
4.5.5 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
4.5.4 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
4.4.20 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
Date | Revision |
---|---|
12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
12/06/2024 | Advisory severity revised to HIGH from MEDIUM |
12/05/2024 | Advisory severity revised to MEDIUM from HIGH |
12/03/2024 | Official summary revised: cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. This is not a security flaw in libgcrypt. However if an application uses The El-gamal algorithm implemented by libgcrypt in a particular way than the application would be vulnerable to security flaw(s). There is no documented instance of the third party images where this vulnerability is reported being affected by this flaw. In order to exploit this vulnerability, an attacker needs to get privileges access to this container and execute code which the container have controls in place to prevent. Impact of exploitation is also low, since any denial of service will be restricted to the container function. |
11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |