CVE-2021-40529: Use of a Broken or Risky Cryptographic Algorithm

September 6, 2021 (updated November 7, 2023)

The ElGamal implementation in Botan, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver’s public key, the generator defined by the receiver’s public key, and the sender’s ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

References

nvd.nist.gov/vuln/detail/CVE-2021-40529

Code Behaviors & Features

Detect and mitigate CVE-2021-40529 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →