CVE-2020-8945

CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

El contenedor Proglottis Go versiones anteriores a 0.1.1 para la biblioteca GPGME, presenta un uso de la memoria previamente liberada, como es demostrado por el uso para las extracciones de imágenes de contenedores para Docker o CRI-O. Esto conlleva a un bloqueo o posible ejecución de código durante una comprobación de la firma GPG.

A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-02-12 CVE Reserved
2020-02-12 CVE Published
2024-01-19 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-416: Use After Free

CAPEC

References (12)

URL	Tag	Source

URL	Date	SRC
https://github.com/proglottis/gpgme/pull/23	2024-08-04

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=1795838	2020-07-28
https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1	2023-11-07
https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2020:0679	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0689	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0697	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-8945	2020-07-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.1 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.1"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.1 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.1"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.2 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.2"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.2 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.2"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.3 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.3"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.3 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.3"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.4 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.4"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.4 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.4"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.5 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.5"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"	4.5 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.5"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Ibm Z Search vendor "Redhat" for product "Openshift Container Platform For Ibm Z"	4.1 Search vendor "Redhat" for product "Openshift Container Platform For Ibm Z" and version "4.1"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Ibm Z Search vendor "Redhat" for product "Openshift Container Platform For Ibm Z"	4.1 Search vendor "Redhat" for product "Openshift Container Platform For Ibm Z" and version "4.1"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Ibm Z Search vendor "Redhat" for product "Openshift Container Platform For Ibm Z"	4.2 Search vendor "Redhat" for product "Openshift Container Platform For Ibm Z" and version "4.2"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Ibm Z Search vendor "Redhat" for product "Openshift Container Platform For Ibm Z"	4.2 Search vendor "Redhat" for product "Openshift Container Platform For Ibm Z" and version "4.2"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Linuxone Search vendor "Redhat" for product "Openshift Container Platform For Linuxone"	4.1 Search vendor "Redhat" for product "Openshift Container Platform For Linuxone" and version "4.1"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Linuxone Search vendor "Redhat" for product "Openshift Container Platform For Linuxone"	4.1 Search vendor "Redhat" for product "Openshift Container Platform For Linuxone" and version "4.1"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Linuxone Search vendor "Redhat" for product "Openshift Container Platform For Linuxone"	4.2 Search vendor "Redhat" for product "Openshift Container Platform For Linuxone" and version "4.2"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Openshift Container Platform For Linuxone Search vendor "Redhat" for product "Openshift Container Platform For Linuxone"	4.2 Search vendor "Redhat" for product "Openshift Container Platform For Linuxone" and version "4.2"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"	-	Safe
Gpgme Project Search vendor "Gpgme Project"		Gpgme Search vendor "Gpgme Project" for product "Gpgme"				< 0.1.1 Search vendor "Gpgme Project" for product "Gpgme" and version " < 0.1.1"		go		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Ibm Z Systems Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"				7.0 Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Little Endian Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"				7.0 Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"		-		Affected