Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
7.8
CVSSv3

CVE-2020-25125

Published: 03/09/2020 Updated: 11/09/2020
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 605
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is unaffected. GnuPG 2.2.23 is a fixed version.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

gnupg gnupg 2.2.22

gpg4win gpg4win 3.1.12

gnupg gnupg 2.2.21

Vendor Advisories

Arch Linux Issues:
Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated ...

Mailing Lists

Full Disclosure: CVE-2020-25125: gnupg2: buffer overflow when importing a key with AEAD preferences
CVE-2020-25125 was assigned to the following issue in GnuPG: listsgnupgorg/pipermail/gnupg-announce/2020q3/000448html -- Wolfgang Frisch <wolfgangfrisch () suse com> Security Engineer OpenPGP fingerprint: A2E6 B7D4 53E9 544F BC13 D26B D9B3 56BD 4D4A 2D15 SUSE Software Solutions Germany GmbH Maxfeldstr 5, 90409 Nuremberg, ...
Full Disclosure: GNUPG released with AEAD sec fix CVE-2020-25125
Hi, gnupg just released a security fix update CVE-2020-25125 listsgnupgorg/pipermail/gnupg-announce/2020q3/000448html Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour Importing an arbitrary key can often easily be trigger ...

References

CWE-120https://bugzilla.opensuse.org/show_bug.cgi?id=1176034https://lists.gnupg.org/pipermail/gnupg-announce/2020q3/000448.htmlhttps://dev.gnupg.org/T5050https://dev.gnupg.org/rG8ec9573e57866dda5efb4677d4454161517484bchttp://www.openwall.com/lists/oss-security/2020/09/03/5http://www.openwall.com/lists/oss-security/2020/09/03/4https://nvd.nist.govhttp://seclists.org/oss-sec/2020/q3/148https://security.archlinux.org/CVE-2020-25125
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-6280CVE-2024-5346CVE-2024-30078CVE-2022-45803CVE-2024-36886SQLCVE-2024-24553IMAPmemory leak
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook