Vulnerabilities > Gnupg

DATE CVE VULNERABILITY TITLE RISK
2020-09-03 CVE-2020-25125 Classic Buffer Overflow vulnerability in multiple products
GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences.
6.8
2020-03-20 CVE-2019-14855 USE of A Broken OR Risky Cryptographic Algorithm vulnerability in multiple products
A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm.
network
low complexity
gnupg fedoraproject CWE-327
5.0
2020-02-12 CVE-2020-8945 USE After Free vulnerability in multiple products
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O.
network
high complexity
gnupg redhat fedoraproject CWE-416
5.1
2019-11-29 CVE-2015-0837 Information Exposure Through Discrepancy vulnerability in multiple products
The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."
network
gnupg debian CWE-203
4.3
2019-11-29 CVE-2014-3591 Information Exposure vulnerability in multiple products
Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.
1.9
2019-11-27 CVE-2011-2207 Improper Certificate Validation vulnerability in multiple products
dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate.
network
low complexity
gnupg redhat debian CWE-295
5.0
2019-11-20 CVE-2015-1607 Improper Input Validation vulnerability in multiple products
kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and "memcpy with overlapping ranges."
4.3
2019-11-20 CVE-2015-1606 USE After Free vulnerability in multiple products
The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.
network
gnupg debian CWE-416
4.3
2019-06-29 CVE-2019-13050 Improper Validation of Certificate With Host Mismatch vulnerability in multiple products
Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network.
network
low complexity
gnupg sks-keyserver-project CWE-297
5.0
2019-06-20 CVE-2019-12904 Cryptographic Issues vulnerability in Gnupg Libgcrypt 1.8.4
** DISPUTED ** In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes.
network
gnupg CWE-310
4.3