<p>Upgrade <code>Amazon-Linux:2018.03</code> <code>gnupg2</code> to version 0:2.0.28-2.35.amzn1 or higher.<br>This issue was patched in <code>ALAS-2022-1630</code>.</p>

Improper Verification of Cryptographic Signature Affecting gnupg2 package, versions <0:2.0.28-2.35.amzn1

Snyk CVSS

Attack Complexity High

Integrity High

Threat Intelligence

EPSS 0.42% (74^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-AMZN201803-GNUPG2-2989671
published 24 Aug 2022
disclosed 1 Jul 2022

Report a new vulnerability Found a mistake?

Introduced: 1 Jul 2022

CVE-2022-34903 Open this link in a new tab CWE-347 Open this link in a new tab

How to fix?

Upgrade Amazon-Linux:2018.03 gnupg2 to version 0:2.0.28-2.35.amzn1 or higher.
This issue was patched in ALAS-2022-1630.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.