CVE-2020-8945

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions proglottis Go wrapper versions prior to 0.1.1

Description The issue is related to a use-after-free problem, which can cause a crash or potentially allow code execution during GPG signature verification. This is due to improper memory management, where memory passed to C may be freed before it is used, leading to crashes or possible code execution.

Recommendations For proglottis Go wrapper versions prior to 0.1.1, update to version 0.1.1 or later to resolve the issue. As a temporary workaround, consider disabling GPG signature verification until a patch is available. Restrict access to the GPGME library to minimize the risk of exploitation. Avoid using the proglottis Go wrapper for container image pulls by Docker or CRI-O until the issue is resolved.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2020-8945

GHSA-M6WG-2MWG-4RFQ

GO-2021-0096

RHSA-2020:0679

RHSA-2020:0689

RHSA-2020:0697

RHSA-2020:0928

RHSA-2020:1230

RHSA-2020:1231

RHSA-2020:1234

RHSA-2020:1396

RHSA-2020:1937

RHSA-2020:2027

RHSA-2020:2117

RHSA-2020:2413

RHSA-2020:2927

RHSA-2020:2992

Affected Products

Cri-O

Docker

Gpgme

Proglottis Go Wrapper

CVE-2020-8945

Weakness Enumeration

Related Identifiers

Affected Products

References · 30