Key Certification Vulnerability in GnuPG by GnuPG Project
CVE-2018-9234

7.5HIGH

Key Information:

Vendor: Gnupg
Status: Gnupg
Vendor: CVE Published:; 4 April 2018

What is CVE-2018-9234?

The GnuPG software versions 2.2.4 and 2.2.5 have a critical flaw where the configuration settings do not enforce the requirement that key certification must utilize an offline master Certify key. This leads to situations where key certifications can be issued that appear valid but are made using only a signing subkey, creating potential for misuse and unauthorized access.

References

https://dev.gnupg.org/T3844

x_refsource_MISC

https://usn.ubuntu.com/3675-1/

vendor-advisoryx_refsource_UBUNTU

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2018
Vulnerability Reserved
Apr 3, 2018

CVE-2018-9234 Data

JSON

Gnupg

What is CVE-2018-9234?

References

CVSS V3.1

Timeline