CVSS: 4.2EPSS: 0%CPEs: 4EXPL: 0CVE-2014-3591 – Debian Security Advisory 3184-1
https://notcve.org/view.php?id=CVE-2014-3591
13 Mar 2015 — Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication. Libgcrypt versiones anteriores a 1.6.3 y GnuPG versiones anteriores a 1.4.19, no implementa un blinding de texto cifrado para el desencriptado de Elgamal, lo que permite a atacantes físicamente próximos... • http://www.cs.tau.ac.il/~tromer/radioexp • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2015-0837 – Debian Security Advisory 3184-1
https://notcve.org/view.php?id=CVE-2015-0837
13 Mar 2015 — The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack." La función mpi_powm en Libgcrypt versiones anteriores a 1.6.3 y GnuPG versiones anteriores a 1.4.19, permite a atacantes obtener información confidencial mediante el aprovechamiento de las diferencias de tiempo al acceder a una tabla prec... • http://www.debian.org/security/2015/dsa-3184 • CWE-203: Observable Discrepancy •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-1606 – Debian Security Advisory 3184-1
https://notcve.org/view.php?id=CVE-2015-1606
13 Mar 2015 — The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file. La base de datos de llavero en GnuPG versiones anteriores a la versión 2.1.2, no maneja apropiadamente los paquetes no válidos, lo que permite a atacantes remotos causar una denegación de servicio (lectura no válida y uso de la memoria previamente liberada) por medio de un archivo de llavero especialmente diseñ... • http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 4%CPEs: 10EXPL: 0CVE-2014-9087 – Debian Security Advisory 3078-1
https://notcve.org/view.php?id=CVE-2014-9087
28 Nov 2014 — Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow. Desbordamiento de enteros en la función ksba_oid_to_str en Libksba anterior a 1.3.2, utilizado en GnuPG, permite a atacantes remotos causar una denegación de servicio (caída) a través de un OID manipulado en (1) un mensaje S/MIME o (2) datos OpenPGP b... • http://advisories.mageia.org/MGASA-2014-0498.html • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2014-5270 – Debian Security Advisory 3073-1
https://notcve.org/view.php?id=CVE-2014-5270
29 Aug 2014 — Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576. Libgcrypt anterior a 1.5.4, utilizado en GnuPG y otros productos, no realiza debidamente la normalización y aleatorización de texto cifrado, lo que facilita a atacantes f... • http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 7%CPEs: 64EXPL: 0CVE-2014-4617 – Ubuntu Security Notice USN-2258-1
https://notcve.org/view.php?id=CVE-2014-4617
25 Jun 2014 — The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. La función do_uncompress en g10/compress.c en GnuPG 1.x anterior a 1.4.17 y 2.x anterior a 2.0.24 permite a atacantes dependientes de contexto causar una denegación de servicio (bucle infinito) a través de paquetes comprimidos malformados, tal y como fue ... • http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git%3Ba=commit%3Bh=014b2103fcb12f261135e3954f26e9e07b39e342 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 3CVE-2014-1927 – Debian Security Advisory 2946-1
https://notcve.org/view.php?id=CVE-2014-1927
05 Jun 2014 — The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. La función shell_quote en python-gnupg 0.3.5 no cita debidamente cadenas, lo que permite a atacantes dependientes de contexto ejecu... • http://seclists.org/oss-sec/2014/q1/245 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 3CVE-2014-1928 – Debian Security Advisory 2946-1
https://notcve.org/view.php?id=CVE-2014-1928
05 Jun 2014 — The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. La función shell_quote en python-gnupg 0.3.5 no escapa debidamente los caracteres, lo que permite a atac... • http://seclists.org/oss-sec/2014/q1/246 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2014-1929 – Debian Security Advisory 2946-1
https://notcve.org/view.php?id=CVE-2014-1929
05 Jun 2014 — python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. python-gnupg 0.3.5 y 0.3.6 permite a atacantes dependientes de contexto tener un impacto no especificado a través de vectores relacionados con 'la inyección de opciones mediante argumentos posicionales.' NOTA: esta vulnerabilidad existe debido a una solución incompl... • http://seclists.org/oss-sec/2014/q1/245 • CWE-20: Improper Input Validation •
CVSS: 4.2EPSS: 0%CPEs: 43EXPL: 0CVE-2013-4576 – gnupg: RSA secret key recovery via acoustic cryptanalysis
https://notcve.org/view.php?id=CVE-2013-4576
19 Dec 2013 — GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identi... • http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html • CWE-255: Credentials Management Errors •