AZL-10659

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-10659.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-10659

Upstream

CVE-2021-3798

Published

2022-08-23T16:15:09Z

Modified

2026-04-21T04:21:19.824250Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

CVE-2021-3798 affecting package opencryptoki for versions less than 3.17.0-1

Details

A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via CCreateObject, nor when CDeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-3798

Affected packages

Azure Linux:2 / opencryptoki

Package

Name: opencryptoki
Purl: pkg:rpm/azure-linux/opencryptoki

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.17.0-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-10659.json"