Published: 04/04/2018 Updated: 27/02/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnupg gnupg 2.2.4
gnupg gnupg 2.2.5
canonical ubuntu linux 14.04
canonical ubuntu linux 17.10
canonical ubuntu linux 16.04
canonical ubuntu linux 18.04

Several security issues were fixed in GnuPG ...

Debian Bug report logs - #894983 gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard Package: src:gnupg2; Maintainer for src:gnupg2 is Debian GnuPG Maintainers <pkg-gnupg-maint@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, ...

Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys:GnuPG 224 and 225 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey (CVE-2018-9234) ...

GnuPG 224 and 225 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey ...

When using a GnuPG smartcard in 224+ with an offline master [C]ertify key, it is possible to sign the keys of others with only a [S]igning subkey present ...

CWE-320 https://dev.gnupg.org/T3844 https://usn.ubuntu.com/3675-1/https://usn.ubuntu.com/3675-1/https://nvd.nist.gov

CVE-2018-9234

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect