NotCVE - vendor:"Gnupg" product:"Gnupg" version:" >= 2.3.0

3 results (0.014 seconds)

CVSS: 2.7EPSS: 0%CPEs: 1EXPL: 0

CVE-2025-30258

https://notcve.org/view.php?id=CVE-2025-30258

19 Mar 2025 — In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS." • https://dev.gnupg.org/T7527 • CWE-754: Improper Check for Unusual or Exceptional Conditions •

CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 2

CVE-2022-3515 – GnuPG libksba CRL File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2022-3515

17 Oct 2022 — A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GnuPG libksba. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the i... • https://access.redhat.com/security/cve/CVE-2022-3515 • CWE-190: Integer Overflow or Wraparound •

CVSS: 6.5EPSS: 1%CPEs: 7EXPL: 2

CVE-2022-34903 – gpg: Signature spoofing via status line injection

https://notcve.org/view.php?id=CVE-2022-34903

01 Jul 2022 — GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. GnuPG versiones hasta 2.3.6, en situaciones inusuales en las que un atacante posee cualquier información de clave secreta del llavero de la víctima y son cumplidos en otras restricciones (por ejemplo, el uso de GPGME), permite una falsificación de firmas por medio de la inyecc... • http://www.openwall.com/lists/oss-security/2022/07/02/1 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-347: Improper Verification of Cryptographic Signature •