ID CVE-2008-1530
Summary GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."
References
Vulnerable Configurations
  • cpe:2.3:a:gnupg:gnupg:1.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:1.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:gnupg:gnupg:2.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:gnupg:gnupg:2.0.8:*:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 08-08-2017 - 01:30)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
refmap via4
bid 28487
confirm
misc http://www.ocert.org/advisories/ocert-2008-1.html
mlist [Announce] 20080326 GnuPG 1.4.9 released
secunia 29568
vupen ADV-2008-1056
xf gnupg-keys-code-execution(41547)
statements via4
contributor Mark J Cox
lastmodified 2008-03-28
organization Red Hat
statement Not vulnerable. This issue does not affect the versions of gnupg packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 or 5.
Last major update 08-08-2017 - 01:30
Published 27-03-2008 - 23:44
Back to Top