Description
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
Remediation
References
Related Vulnerabilities
Grafana Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2021-27962)
Envoy Proxy Use After Free Vulnerability (CVE-2024-32974)
WordPress Plugin Forms:3rd-Party Inject Results Cross-Site Scripting (0.2)
IBM RTC Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2017-1753)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-3397)