CVE-2021-3798

Summary

A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.

Affected Software

VendorProductVersion RangeStatus
n/aopencryptokiFixed in v3.17.0affected

Weaknesses

  • CWE-200: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

References