Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
3.3
CVSSv2

CVE-2020-10759

Published: 15/09/2020 Updated: 12/02/2023
CVSS v2 Base Score: 3.3 | Impact Score: 4.9 | Exploitability Score: 3.4
CVSS v3 Base Score: 6 | Impact Score: 5.2 | Exploitability Score: 0.8
VMScore: 294
Vector: AV:L/AC:M/Au:N/C:P/I:P/A:N
Subscribe to Enterprise Linux

Vulnerability Summary

A PGP signature verification bypass has been found in fwupd before 1.4.0, and in libjcat <= 0.1.2. The issue is that if a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

redhat enterprise linux 7.0

redhat enterprise linux 8.0

Vendor Advisories

Red Hat: Low: gnome-software and fwupd security, bug fix, and enhancement update
Synopsis Low: gnome-software and fwupd security, bug fix, and enhancement update Type/Severity Security Advisory: Low Topic An update for appstream-data, fwupd, gnome-software, and libxmlb is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security imp ...
Debian CVElist Bug Report Logs: CVE-2020-10759
Debian Bug report logs - #962517 CVE-2020-10759 Package: src:fwupd; Maintainer for src:fwupd is Debian EFI <debian-efi@listsdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Tue, 9 Jun 2020 08:03:01 UTC Severity: grave Tags: security Reply or subscribe to this bug Toggle useless messagesVie ...
Ubuntu Security Notice: fwupd vulnerability
fwupd could be made to install an unsigned firmware ...
Arch Linux Issues:
A PGP signature verification bypass has been found in fwupd prior to 140, and in libjcat <= 012 The issue is that if a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list ...

Github Repositories

https://github.com/justinsteven/CVE-2020-10759-poc

Proof of Concept for CVE-2020-10759 (fwupd signature validation bypass)

Summary Exploits CVE-2020-10759 - fwupd PGP signature verification bypass See githubcom/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypassmd for more details Requirements Note: You need to install python3-gpg from your OS vendor This module doesn't like being installed via pip because it needs to

References

CWE-347https://bugzilla.redhat.com/show_bug.cgi?id=1844316https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.mdhttps://access.redhat.com/errata/RHSA-2020:4436https://usn.ubuntu.com/4395-1/https://nvd.nist.govhttps://security.archlinux.org/CVE-2020-10759
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook