Vulnerabilities > Gnupg > Gnupg > 2.0.8
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-01 | CVE-2022-34903 | Injection vulnerability in multiple products GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. | 6.5 |
| 2020-03-20 | CVE-2019-14855 | Inadequate Encryption Strength vulnerability in multiple products A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. | 7.5 |
| 2019-11-27 | CVE-2011-2207 | Improper Certificate Validation vulnerability in multiple products dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate. | 5.0 |
| 2019-11-20 | CVE-2015-1607 | Improper Input Validation vulnerability in multiple products kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and "memcpy with overlapping ranges." | 5.5 |
| 2019-11-20 | CVE-2015-1606 | Use After Free vulnerability in multiple products The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file. | 5.5 |
| 2019-06-29 | CVE-2019-13050 | Improper Certificate Validation vulnerability in multiple products Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. | 7.5 |
| 2018-06-08 | CVE-2018-12020 | Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. | 5.0 |
| 2013-10-10 | CVE-2013-4351 | Cryptographic Issues vulnerability in Gnupg GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. | 5.8 |
| 2013-08-19 | CVE-2013-4242 | Information Exposure vulnerability in multiple products GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. | 1.9 |
| 2010-08-05 | CVE-2010-2547 | Use After Free vulnerability in multiple products Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature. | 8.1 |