Luca De Feo

**Name of the Vulnerable Software and Affected Versions** Botan versions through 2.18.1 **Description** The issue allows plaintext recovery due to a certain combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents, leading to a cross-configuration attack against OpenPGP. **Recommendations** For Botan versions through 2.18.1, update to a version later than 2.18.1 to resolve the issue. As a temporary workaround, consider restricting the use of the ElGamal implementation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Crypto++ versions through 8.5 **Description** The ElGamal implementation in Crypto++ allows plaintext recovery due to a certain combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents. This can lead to a cross-configuration attack against OpenPGP. **Recommendations** For Crypto++ versions through 8.5, consider updating to a version that addresses this issue, as the current implementation allows for plaintext recovery. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Libgcrypt versions prior to 1.9.4 **Description** The issue is related to the use of a weak cryptographic algorithm in the Libgcrypt library. It affects the ElGamal implementation, allowing plaintext recovery due to a dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents. This can lead to a cross-configuration attack against OpenPGP. **Recommendations** For Libgcrypt versions prior to 1.9.4, update to version 1.9.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ElGamal implementation until a patch is available.