Cross-Site Request Forgery Vulnerability in GnuPG dirmngr Product by GnuPG
CVE-2018-1000858

8.8HIGH

Key Information:

Vendor

Gnupg

Status
Gnupg
Vendor
CVE Published:
20 December 2018

What is CVE-2018-1000858?

The GnuPG software versions 2.1.12 to 2.2.11 showcase a Cross-Site Request Forgery (CSRF) vulnerability within the dirmngr component. This vulnerability may allow attackers to control CSRF, potentially leading to unauthorized information disclosure and denial of service (DoS) conditions. Users could be exploited if they perform a WKD request—such as entering an email address in the Thunderbird/Enigmail composer window—while targeted by a malicious entity. It's important to note that this issue was addressed in subsequent commits after the vulnerability was identified.

References

https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html
x_refsource_MISC
https://usn.ubuntu.com/3853-1/
vendor-advisoryx_refsource_UBUNTU
https://sektioneins.de/en/advisories/advisory-012018-gnup...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.