Cryptographic Issues

Affecting gnupg2 package, versions <2.0.22-1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream gnupg2 package. See Remediation section below for Debian:10 relevant versions.

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.

Remediation

Upgrade Debian:10 gnupg2 to version 2.0.22-1 or higher.

References

CVSS Score

5.4
low severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVE
CVE-2013-4351
CWE
CWE-310
Snyk ID
SNYK-DEBIAN10-GNUPG2-340443
Disclosed
10 Oct, 2013
Published
10 Oct, 2013