CyberSec.Space Logo
Back to CVE Browser

CVE-2018-1000858

HIGH
8.8
CVSS Severity Score
EPSS Score0.1930%
EPSS Percentile13.93th
PublishedDec 20, 2018
Last ModifiedNov 21, 2024

Vulnerability Description

GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.

Affected Platforms (CPE)

πŸ“¦
Gnupg

Gnupg

>= 2.1.12 and <= 2.2.11
πŸ’»
Canonical

Ubuntu Linux

= 18.04
πŸ’»
Canonical

Ubuntu Linux

= 18.10

References & Advisories

πŸ”— https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html
πŸ”— https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html
πŸ”— https://usn.ubuntu.com/3853-1/
πŸ”— https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html
πŸ”— https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html
πŸ”— https://usn.ubuntu.com/3853-1/

Related Vulnerabilities

CVE-2006-623510.0

A "stack overwrite" vulnerability in GnuPG (gpg) 1.x before 1.4.6, 2.x before 2.0.2, and 1.9.0 through 1.9.95 allows attackers to ...

CVE-2003-025510.0

The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns ...

CVE-2018-123569.8

An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routi...

CVE-2008-15309.3

GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via c...