What is CVE-2014-5270?

CVE-2014-5270 is a vulnerability in Gnupg Libgcrypt, classified under Information Disclosure. Published 2014-10-10.

Is CVE-2014-5270 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Information disclosure in Gnupg Libgcrypt

CVE-2014-5270

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by lev…

Vulnerability class: Information Disclosure

EPSS: 0.001 (22.2th percentile) — read the EPSS interpretation.

Affected products

Gnupg Libgcrypt — versions 1.4.0, 1.4.3, 1.4.4
Debian Debian_linux — versions 7.0
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

Public proof-of-concept exploits

References

[gnupg-announce] 20140808 [security fix] Libgcrypt and GnuPG (Vendor Advisory, mailing-list, x_refsource_MLIST, Patch)
DSA-3073 (vendor-advisory, Third Party Advisory, x_refsource_DEBIAN)
[oss-security] 20140816 Re: CVE request: libgcrypt, ELGAMAL side-channel attack (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
cve@mitre.org (Technical Description, x_refsource_MISC)
DSA-3024 (vendor-advisory, x_refsource_DEBIAN)

Frequently asked questions

What is CVE-2014-5270?: CVE-2014-5270 is a vulnerability in Gnupg Libgcrypt, classified under Information Disclosure. Published 2014-10-10.
Is CVE-2014-5270 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.