CVE-2020-8945

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

CVSS v3 7.5 HIGH
CVSS v2.0 5.1 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.1^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://access.redhat.com/errata/RHSA-2020:0679	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0689	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0697	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1795838	Issue Tracking Patch Third Party Advisory
https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1	Patch Third Party Advisory
https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1	Patch Third Party Advisory
https://github.com/proglottis/gpgme/pull/23	Exploit Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/
https://access.redhat.com/errata/RHSA-2020:0679	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0689	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0697	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1795838	Issue Tracking Patch Third Party Advisory
https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1	Patch Third Party Advisory
https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1	Patch Third Party Advisory
https://github.com/proglottis/gpgme/pull/23	Exploit Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/

Configurations

Configuration 1 (hide)

cpe:2.3:a:gpgme_project:gpgme:*:*:*:*:*:go:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.1:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.2:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.3:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.4:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.5:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.1:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.2:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.1:::::::*
	cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.2:::::::*

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:30:::::::*
	cpe:2.3:o:fedoraproject:fedora:31:::::::*
	cpe:2.3:o:fedoraproject:fedora:32:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Configuration 5 (hide)

cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

History

21 Nov 2024, 05:39

Type	Values Removed	Values Added
References	~~() https://access.redhat.com/errata/RHSA-2020:0679 - Third Party Advisory~~	() https://access.redhat.com/errata/RHSA-2020:0679 - Third Party Advisory
References	~~() https://access.redhat.com/errata/RHSA-2020:0689 - Third Party Advisory~~	() https://access.redhat.com/errata/RHSA-2020:0689 - Third Party Advisory
References	~~() https://access.redhat.com/errata/RHSA-2020:0697 - Third Party Advisory~~	() https://access.redhat.com/errata/RHSA-2020:0697 - Third Party Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=1795838 - Issue Tracking, Patch, Third Party Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=1795838 - Issue Tracking, Patch, Third Party Advisory
References	~~() https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1 - Patch, Third Party Advisory~~	() https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1 - Patch, Third Party Advisory
References	~~() https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1 - Patch, Third Party Advisory~~	() https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1 - Patch, Third Party Advisory
References	~~() https://github.com/proglottis/gpgme/pull/23 - Exploit, Patch, Third Party Advisory~~	() https://github.com/proglottis/gpgme/pull/23 - Exploit, Patch, Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/ -

18 Oct 2022, 17:59

Type	Values Removed	Values Added
CPE	cpe:2.3:a:gnupg:gpgme::::::::	cpe:2.3:a:gpgme_project:gpgme::::::go::*

07 Oct 2022, 13:05

Type	Values Removed	Values Added
CPE		cpe:2.3:a:redhat:openshift_container_platform:4.4:::::::* cpe:2.3:o:redhat:enterprise_linux:7.0:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.5:::::::* cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.2:::::::* cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.1:::::::* cpe:2.3:o:fedoraproject:fedora:32:::::::* cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::* cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.1:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:::::::* cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::* cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.2:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/ - Mailing List, Third Party Advisory

Information

Published : 2020-02-12 18:15

Updated : 2024-11-21 05:39

NVD link : CVE-2020-8945

Mitre link : CVE-2020-8945

CVE.ORG link : CVE-2020-8945

JSON object : View

Products Affected

fedoraproject

fedora

redhat

enterprise_linux
openshift_container_platform_for_linuxone
enterprise_linux_for_ibm_z_systems
enterprise_linux_server
enterprise_linux_workstation
enterprise_linux_for_power_little_endian
openshift_container_platform
openshift_container_platform_for_ibm_z

gpgme_project

gpgme

CWE

CWE-416

Use After Free

7.5 /10