Signature Validation Vulnerability in GNOME Evolution by GNOME
CVE-2021-3349

3.3LOW

Key Information:

Vendor

Gnome
Status
Evolution
Vendor
CVE Published:
1 February 2021

What is CVE-2021-3349?

GNOME Evolution prior to version 3.38.3 presents a concern where it incorrectly validates signatures from previously trusted keys when an unknown identifier is encountered. This flaw arises because Evolution does not obtain sufficient data from the GnuPG API, potentially leading users to erroneously trust unverified signatures. Discourse among third parties raises questions about the relevance of this issue and whether the behavior should be altered within Evolution itself.

References

https://gitlab.gnome.org/GNOME/evolution/-/issues/299
x_refsource_MISC
https://mgorny.pl/articles/evolution-uid-trust-extrapolat...
x_refsource_MISC
https://dev.gnupg.org/T4735
x_refsource_MISC

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.