PT-2018-3457 · Gnu+8 · Gnupg+9

Ben Fuhrmannek

Publicado

2018-12-20

Atualizado

2020-11-04

CVE-2018-1000858

CVSS v2.0

6.8

Média

Vetor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: GnuPG versions 2.1.12 through 2.2.11

Description: The issue is related to insufficient handling of authorization requests in the GnuPG program, which can lead to a Cross-Site Request Forgery (CSRF) attack. This can result in an attacker-controlled CSRF, information disclosure, or a denial-of-service (DoS) attack. The attack appears to be exploitable when a victim performs a Web Key Directory (WKD) request, such as entering an email address in the composer window of Thunderbird/Enigmail.

Recommendations: For GnuPG versions 2.1.12 through 2.2.11, update to a version that includes the fix committed after 4a4bb874f63741026bd26264c43bb32b1099f060 to resolve the issue. As a temporary workaround, consider restricting access to the dirmngr component to minimize the risk of exploitation.

Exploit

Correção

DoS

CSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-352

Identificadores relacionados

ALSA-2020:4490

ALT-PU-2019-1521

BDU:2020-01716

CESA-2020_4490

CVE-2018-1000858

MGASA-2019-0108

OPENSUSE-SU-2019:0020-1

OPENSUSE-SU-2019_0020-1

RHSA-2020:4490

RHSA-2020_4490

RLSA-2020:4490

SUSE-SU-2019:0023-1

SUSE-SU-2019_0023-1

USN-3853-1

Produtos afetados

Alt Linux

Almalinux

Centos

Enigmail

Gnupg

Red Hat

Rocky Linux

Suse

Thunderbird

Ubuntu

PT-2018-3457 · Gnu+8 · Gnupg+9

CVE-2018-1000858

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 34