CVSS: 10.0EPSS: 1%CPEs: 5EXPL: 2CVE-2022-3515 – GnuPG libksba CRL File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-3515
17 Oct 2022 — A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GnuPG libksba. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the i... • https://access.redhat.com/security/cve/CVE-2022-3515 • CWE-190: Integer Overflow or Wraparound •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 2CVE-2022-34903 – gpg: Signature spoofing via status line injection
https://notcve.org/view.php?id=CVE-2022-34903
01 Jul 2022 — GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. GnuPG versiones hasta 2.3.6, en situaciones inusuales en las que un atacante posee cualquier información de clave secreta del llavero de la víctima y son cumplidos en otras restricciones (por ejemplo, el uso de GPGME), permite una falsificación de firmas por medio de la inyecc... • http://www.openwall.com/lists/oss-security/2022/07/02/1 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2019-14855 – Ubuntu Security Notice USN-4516-1
https://notcve.org/view.php?id=CVE-2019-14855
20 Mar 2020 — A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18. Se detectó un fallo en la manera en que podrían ser falsificadas las firmas de certificados usando colisiones encontradas en el algoritmo SHA-1. Un atacante podría usar esta debilidad para crear firmas de certificados falsificadas. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855 • CWE-326: Inadequate Encryption Strength •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 1CVE-2019-13050 – GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS
https://notcve.org/view.php?id=CVE-2019-13050
29 Jun 2019 — Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack. La interacción entre el código sks-keyserver hasta versión 1.2.0 de la red SKS keyserver, y GnuPG hasta la versión 2.2.16, hace arriesgado tener una línea de configuración... • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2018-1000858 – gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service
https://notcve.org/view.php?id=CVE-2018-1000858
20 Dec 2018 — GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. GnuPG, de la versión 2.1.12 a la 2.2.11, contiene una vulnerabilidad Cross-Site Req... • https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 1CVE-2018-12020 – gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification
https://notcve.org/view.php?id=CVE-2018-12020
08 Jun 2018 — mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. mainproc.c en GnuPG en versiones anteriores a la 2.2.8 gestiona de manera incorrecta el nombre de archi... • https://packetstorm.news/files/id/152703 • CWE-20: Improper Input Validation CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-9234 – Ubuntu Security Notice USN-3675-1
https://notcve.org/view.php?id=CVE-2018-9234
04 Apr 2018 — GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. GnuPG 2.2.4 y 2.2.5 no aplica una configuración en la que la certificación de claves requiere una clave maestra Certify offline. Esto resulta en que certificados aparentemente válidos ocurran solo con acceso a una subclave de firma. Marcus Brinkmann discovered that during decryption or ve... • https://dev.gnupg.org/T3844 • CWE-320: Key Management Errors •