[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248585

 
 

909

 
 

195621

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2020-8945Date: (C)2020-02-13   (M)2023-12-22


The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 7.5CVSS Score : 5.1
Exploit Score: 1.6Exploit Score: 4.9
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: HIGHAccess Complexity: HIGH
Privileges Required: NONEAuthentication: NONE
User Interaction: REQUIREDConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
FEDORA-2020-2a0aac3502
FEDORA-2020-aeea04cd13
FEDORA-2020-ccc3e64ea5
FEDORA-2020-f317e13ecf
RHSA-2020:0679
RHSA-2020:0689
RHSA-2020:0697
https://bugzilla.redhat.com/show_bug.cgi?id=1795838
https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1
https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1
https://github.com/proglottis/gpgme/pull/23

CPE    3
cpe:/o:redhat:enterprise_linux:7.0
cpe:/o:redhat:enterprise_linux_server:7.0
cpe:/o:redhat:enterprise_linux_workstation:7.0
CWE    1
CWE-416
OVAL    9
oval:org.secpod.oval:def:503630
oval:org.secpod.oval:def:503634
oval:org.secpod.oval:def:503746
oval:org.secpod.oval:def:503632
...

© SecPod Technologies