CVE-2013-4351
gnupg: treats no-usage-permitted keys as all-usages-permitted
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.
GnuPG 1.4.x, y 2.1.x trata un subpaquete de flags clave con todos los bits a 0 (sin uso permitido) como si tuviera todos los bits establecidos (todo uso permitido) lo que permitiría a atacantes remotos evadir mecanismos de protección criptográfica intencionada mediante el aprovechamiento de la subclave.
The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. A denial of service flaw was found in the way GnuPG parsed certain compressed OpenPGP packets. An attacker could use this flaw to send specially crafted input data to GnuPG, making GnuPG enter an infinite loop when parsing data. It was found that importing a corrupted public key into a GnuPG keyring database corrupted that keyring. An attacker could use this flaw to trick a local user into importing a specially crafted public key into their keyring database, causing the keyring to be corrupted and preventing its further use.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-06-12 CVE Reserved
- 2013-10-09 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-310: Cryptographic Issues
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138 | X_refsource_confirm | |
| http://www.openwall.com/lists/oss-security/2013/09/13/4 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html | 2014-01-04 | |
| http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html | 2014-01-04 | |
| http://rhn.redhat.com/errata/RHSA-2013-1459.html | 2014-01-04 | |
| http://ubuntu.com/usn/usn-1987-1 | 2014-01-04 | |
| http://www.debian.org/security/2013/dsa-2773 | 2014-01-04 | |
| http://www.debian.org/security/2013/dsa-2774 | 2014-01-04 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1010137 | 2013-10-24 | |
| https://access.redhat.com/security/cve/CVE-2013-4351 | 2013-10-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.0 Search vendor "Gnupg" for product "Gnupg" and version "1.4.0" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.2 Search vendor "Gnupg" for product "Gnupg" and version "1.4.2" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.3 Search vendor "Gnupg" for product "Gnupg" and version "1.4.3" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.4 Search vendor "Gnupg" for product "Gnupg" and version "1.4.4" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.5 Search vendor "Gnupg" for product "Gnupg" and version "1.4.5" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.6 Search vendor "Gnupg" for product "Gnupg" and version "1.4.6" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.8 Search vendor "Gnupg" for product "Gnupg" and version "1.4.8" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.10 Search vendor "Gnupg" for product "Gnupg" and version "1.4.10" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.11 Search vendor "Gnupg" for product "Gnupg" and version "1.4.11" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.12 Search vendor "Gnupg" for product "Gnupg" and version "1.4.12" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 1.4.13 Search vendor "Gnupg" for product "Gnupg" and version "1.4.13" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0 Search vendor "Gnupg" for product "Gnupg" and version "2.0" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.1 Search vendor "Gnupg" for product "Gnupg" and version "2.0.1" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.3 Search vendor "Gnupg" for product "Gnupg" and version "2.0.3" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.4 Search vendor "Gnupg" for product "Gnupg" and version "2.0.4" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.5 Search vendor "Gnupg" for product "Gnupg" and version "2.0.5" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.6 Search vendor "Gnupg" for product "Gnupg" and version "2.0.6" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.7 Search vendor "Gnupg" for product "Gnupg" and version "2.0.7" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.8 Search vendor "Gnupg" for product "Gnupg" and version "2.0.8" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.10 Search vendor "Gnupg" for product "Gnupg" and version "2.0.10" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.11 Search vendor "Gnupg" for product "Gnupg" and version "2.0.11" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.12 Search vendor "Gnupg" for product "Gnupg" and version "2.0.12" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.13 Search vendor "Gnupg" for product "Gnupg" and version "2.0.13" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.14 Search vendor "Gnupg" for product "Gnupg" and version "2.0.14" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.15 Search vendor "Gnupg" for product "Gnupg" and version "2.0.15" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.16 Search vendor "Gnupg" for product "Gnupg" and version "2.0.16" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.17 Search vendor "Gnupg" for product "Gnupg" and version "2.0.17" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.18 Search vendor "Gnupg" for product "Gnupg" and version "2.0.18" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.0.19 Search vendor "Gnupg" for product "Gnupg" and version "2.0.19" | - |
Affected
| ||||||
| Gnupg Search vendor "Gnupg" | Gnupg Search vendor "Gnupg" for product "Gnupg" | 2.1.0 Search vendor "Gnupg" for product "Gnupg" and version "2.1.0" | beta1 |
Affected
| ||||||