VDB
CVE-2019-16910
CVE-2019-16910
PUBLISHED
Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)
EPSS 0.67% · 71.7th percentile
Risk Scores
EPSS Score
0.67%
71.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | mbedtls | 2.1.2-1, 0, 2.2.0-1 |
| Ubuntu:18.04:LTS | mbedtls | 0, 2.5.1-1ubuntu1, 2.6.0-1 |
Timeline
- Sep 26, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-16910 third-party-advisory
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10 third-party-advisory
- https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd third-party-advisory
- https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-16910 third-party-advisory