Signature Forgery in GnuPG by Status Line Injection
CVE-2022-34903

6.5MEDIUM

Key Information:

Vendor

Gnupg

Status
Gnupg
Vendor
CVE Published:
1 July 2022

What is CVE-2022-34903?

Certain versions of GnuPG, specifically up to 2.3.6, are susceptible to a vulnerability that allows an attacker with access to secret-key information from a victim's keyring to perform signature forgery. This exploitation occurs under specific conditions, notably involving the use of GPGME. The flaw permits an attacker to inject malicious data into the status line, leading to deceptive signatures that can undermine the integrity of cryptographic operations and trust in signed communications.

References

https://www.openwall.com/lists/oss-security/2022/06/30/1
x_refsource_MISC
https://bugs.debian.org/1014157
x_refsource_MISC
https://dev.gnupg.org/T6027
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.