Use of Incorrectly-Resolved Name or Reference
Affecting gnupg package, versions <1.4.18-7+deb8u5
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
References
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Advisory
- Debian Security Advisory
- Debian Security Tracker
- MISC
- MISC
- MISC
- MISC
- MISC
- OSS security Advisory
- OSS security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- Seclists Full Disclosure
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
CVSS Score
7.5
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityNone
-
IntegrityHigh
-
AvailabilityNone
- CVE
- CVE-2018-12020
- CWE
- CWE-706
- Snyk ID
- SNYK-DEBIAN8-GNUPG-340529
- Disclosed
- 08 Jun, 2018
- Published
- 08 Jun, 2018