Published: 14/02/2014 Updated: 29/08/2017

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

parcimonie prior to 0.8.1, when using a large keyring, sleeps for the same amount of time between fetches, which allows malicious users to correlate key fetches via unspecified vectors.

Vulnerable Product	Search on Vulmon	Subscribe to Product
parcimonie project parcimonie
parcimonie project parcimonie 0.7-1
parcimonie project parcimonie 0.6-3
parcimonie project parcimonie 0.6-1

Debian Bug report logs - #738134 parcimonie: CVE-2014-1921: possible correlation between key fetches Package: parcimonie; Maintainer for parcimonie is Debian Privacy Tools Maintainers <pkg-privacy-maintainers@listsaliothdebianorg>; Source for parcimonie is src:parcimonie (PTS, buildd, popcon) Reported by: Holger Levsen &l ...

Holger Levsen discovered that parcimonie, a privacy-friendly helper to refresh a GnuPG keyring, is affected by a design problem that undermines the usefulness of this piece of software in the intended threat model When using parcimonie with a large keyring (1000 public keys or more), it would always sleep exactly ten minutes between two key fetche ...

CWE-362 https://gaffer.ptitcanardnoir.org/intrigeri/files/parcimonie/App-Parcimonie-0.8.1.tar.gz http://www.debian.org/security/2014/dsa-2860 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738134 http://seclists.org/oss-sec/2014/q1/305 http://www.securityfocus.com/bid/65505 http://seclists.org/oss-sec/2014/q1/308 https://exchange.xforce.ibmcloud.com/vulnerabilities/91118 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738134 https://nvd.nist.gov https://www.debian.org/security/./dsa-2860

CVE-2014-1921

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect