VDB
ALPINE-CVE-2019-1563
ALPINE-CVE-2019-1563
PUBLISHED
CVSS 3.700000047683716 LOW
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Risk Scores
CVSS v3.1
3.700000047683716
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.23 | openssl | 0, 1.1.1c-r1, 1.1.1c-r0 |
| Alpine:v3.15 | openssl | 0, 0, 0 |
| Alpine:v3.20 | openssl | 1.1.1-r3, 0, 1.1.1-r0 |
| Alpine:v3.11 | openssl | 1.1.1b-r0, 1.1.1, 1.1.1 |
| Alpine:v3.15 | openssl3 | 1.1.1-r2, 1.1.1b-r1, 1.1.1c-r0 |
| Alpine:v3.22 | openssl | 1.1.1c-r1, 1.1.1-r2, 0 |
| Alpine:v3.18 | openssl | 1.1.1-r2, 1.1.1, 1.1.1 |
| Alpine:v3.13 | openssl | 1.1.1b-r0, 1.1.1a-r1, 1.1.1a-r0 |
| Alpine:v3.16 | openssl3 | *, 0, 1.1.1-r0 |
| Alpine:v3.17 | openssl | 0, 1.1.1-r0, 1.1.1 |
| Alpine:v3.8 | openssl | 1.0.2g-r3, 0.9.8i-r0, 0.9.8j-r0 |
| Alpine:v3.19 | openssl | 1.1.1b-r1, 1.1.1c-r0, 1.1.1-r0 |
| Alpine:v3.9 | openssl | 1.1.1-r1, 1.1.1, 1.1.1 |
| Alpine:v3.14 | openssl | 1.1.1, 0, 1.1.1-r2 |
| Alpine:v3.21 | openssl | 1.1.1-r3, 1.1.1-r5, 1.1.1 |
| Alpine:v3.16 | openssl | 0, 0, 0 |
| Alpine:v3.10 | openssl | 1.1.1-r5, 1.1.1c-r0, 1.1.1b-r1 |
| Alpine:v3.12 | openssl | 0, 1.1.1, 1.1.1 |
| Alpine:v3.7 | openssl | 0.9.8k-r0, 0.9.8i-r0, 0 |
Timeline
- Sep 10, 2019 CVE Published
- Dec 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch