Denial of Service Vulnerability in SKS Keyserver Network and GnuPG
CVE-2019-13050

7.5HIGH

Key Information:

Vendor

Gnupg

Status
Gnupg
Sks Keyserver
Vendor
CVE Published:
29 June 2019

What is CVE-2019-13050?

A security issue has been identified in SKS Keyserver, specifically versions up to 1.2.0, when integrated with GnuPG versions up to 2.2.16. This vulnerability arises from improper interaction whereby a GnuPG keyserver configuration pointing to a host on the SKS keyserver network can lead to a persistent denial of service. This occurs as a result of a Certificate Spamming Attack that can overwhelm the server with excessive data requests, causing disruptions in service availability.

References

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d...
x_refsource_MISC
https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/0...
x_refsource_CONFIRM
https://twitter.com/lambdafu/status/1147162583969009664
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.