CVE-2018-10846

A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.

Published: Aug 22, 2018
Updated: Apr 13, 2023
CVE: CVE-2018-10846
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.6
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 1.9
AV:L/AC:M/Au:N/C:P/I:N/A:N

CWEs:

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
gnu / gnutls	-	3.6.12
redhat / enterprise_linux_desktop	7.0	7.0.x
redhat / enterprise_linux_workstation	7.0	7.0.x
redhat / enterprise_linux_server	7.0	7.0.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	18.10	18.10.x
canonical / ubuntu_linux	19.04	19.04.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
debian / debian_linux	8.0	8.0.x

Vulnerability Database

CVE-2018-10846