<p>Upgrade <code>Ubuntu:21.10</code> <code>gnupg2</code> to version 2.2.20-1ubuntu4.1 or higher.</p>

Arbitrary Code Injection Affecting gnupg2 package, versions <2.2.20-1ubuntu4.1

Snyk CVSS

Attack Complexity High

Confidentiality High

Threat Intelligence

EPSS 0.42% (75^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-UBUNTU2110-GNUPG2-2940678
published 4 Jul 2022
disclosed 1 Jul 2022

Report a new vulnerability Found a mistake?

Introduced: 1 Jul 2022

CVE-2022-34903 Open this link in a new tab CWE-74 Open this link in a new tab

How to fix?

Upgrade Ubuntu:21.10 gnupg2 to version 2.2.20-1ubuntu4.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:21.10 relevant fixed versions and status.

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.