GnuPG Array Overflow Vulnerability in OpenPGP Key Import
CVE-2020-25125

7.8HIGH

Key Information:

Vendor

Gnupg

Status
Gnupg
Gpg4win
Vendor
CVE Published:
3 September 2020

What is CVE-2020-25125?

The GnuPG software versions 2.2.21 and 2.2.22, along with Gpg4win 3.1.12, have a vulnerability related to an array overflow. This occurs when an attacker tricks a user into importing a malicious OpenPGP key that contains AEAD preferences. The flaw is a result of an error in the g10/key-check.c component, which leads to a crash or potentially allows for unspecified impacts. It is important to note that GnuPG version 2.3.x is not affected by this vulnerability, and GnuPG version 2.2.23 has been released as an update to fix this issue.

References

https://bugzilla.opensuse.org/show_bug.cgi?id=1176034
x_refsource_MISC
https://dev.gnupg.org/rG8ec9573e57866dda5efb4677d44541615...
x_refsource_MISC
https://lists.gnupg.org/pipermail/gnupg-announce/2020q3/0...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.