Ben Fuhrmannek

Name of the Vulnerable Software and Affected Versions: GnuPG versions 2.1.12 through 2.2.11 Description: The issue is related to insufficient handling of authorization requests in the GnuPG program, which can lead to a Cross-Site Request Forgery (CSRF) attack. This can result in an attacker-controlled CSRF, information disclosure, or a denial-of-service (DoS) attack. The attack appears to be exploitable when a victim performs a Web Key Directory (WKD) request, such as entering an email address in the composer window of Thunderbird/Enigmail. Recommendations: For GnuPG versions 2.1.12 through 2.2.11, update to a version that includes the fix committed after 4a4bb874f63741026bd26264c43bb32b1099f060 to resolve the issue. As a temporary workaround, consider restricting access to the `dirmngr` component to minimize the risk of exploitation.