CVE-2024-28834

Name
CVE-2024-28834
Description
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vdb-entry https://access.redhat.com/security/cve/CVE-2024-28834
issue-tracking https://bugzilla.redhat.com/show_bug.cgi?id=2269228
secalert@redhat.com https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
secalert@redhat.com https://people.redhat.com/~hkario/marvin/
vendor-advisory https://access.redhat.com/errata/RHSA-2024:1784
secalert@redhat.com https://minerva.crocs.fi.muni.cz/
vendor-advisory https://access.redhat.com/errata/RHSA-2024:1879
vendor-advisory https://access.redhat.com/errata/RHSA-2024:1997
vendor-advisory https://access.redhat.com/errata/RHSA-2024:2044
vendor-advisory https://access.redhat.com/errata/RHSA-2024:2570
secalert@redhat.com http://www.openwall.com/lists/oss-security/2024/03/22/1
secalert@redhat.com http://www.openwall.com/lists/oss-security/2024/03/22/2
vendor-advisory https://access.redhat.com/errata/RHSA-2024:2889
https://security.netapp.com/advisory/ntap-20240524-0004/
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2024/09/msg00019.html

Match rules

CPE URI Source package Min version Max version
cpe:/o:redhat:enterprise_linux:9::baseos shopxo >= 0:3.7.6-23.el9_3.4 < *
cpe:/o:redhat:enterprise_linux:9::baseos shopxo >= 0:3.8.3-4.el9_4 < *
shopxo == 3.7.6-23 == 3.7.6-23
cpe:/a:redhat:enterprise_linux:8::appstream shopxo >= 0:3.6.16-8.el8_9.3 < *
cpe:/a:redhat:rhel_eus:8.6::appstream shopxo >= 0:3.6.16-5.el8_6.4 < *
cpe:/o:redhat:rhel_eus:8.8::baseos shopxo >= 0:3.6.16-7.el8_8.3 < *
cpe:/a:redhat:rhel_eus:9.2::appstream shopxo >= 0:3.7.6-21.el9_2.3 < *

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
gnutls edge-main 3.8.5-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
gnutls 3.22-main 3.8.5-r0 None fixed
gnutls 3.21-main 3.8.5-r0 None fixed
gnutls 3.20-main 3.8.5-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
gnutls 3.19-main 3.8.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
gnutls 3.18-main 3.8.4-r0 Natanael Copa <ncopa@alpinelinux.org> fixed