Vulnerabilities > Gnupg > Gnupg > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-07-01 CVE-2022-34903 Injection vulnerability in multiple products
GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
network
high complexity
gnupg fedoraproject debian netapp CWE-74
6.5
2020-09-03 CVE-2020-25125 Classic Buffer Overflow vulnerability in multiple products
GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences.
6.8
2019-11-29 CVE-2015-0837 Information Exposure Through Discrepancy vulnerability in multiple products
The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."
network
gnupg debian CWE-203
4.3
2019-11-27 CVE-2011-2207 Improper Certificate Validation vulnerability in multiple products
dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate.
network
low complexity
gnupg redhat debian CWE-295
5.0
2019-11-20 CVE-2015-1607 Improper Input Validation vulnerability in multiple products
kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and "memcpy with overlapping ranges."
local
low complexity
gnupg canonical CWE-20
5.5
2019-11-20 CVE-2015-1606 Use After Free vulnerability in multiple products
The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.
local
low complexity
gnupg debian CWE-416
5.5
2018-12-20 CVE-2018-1000858 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS.
6.8
2018-06-08 CVE-2018-12020 Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option.
network
low complexity
redhat canonical debian gnupg CWE-706
5.0
2018-04-04 CVE-2018-9234 Key Management Errors vulnerability in multiple products
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
network
low complexity
gnupg canonical CWE-320
5.0
2016-12-13 CVE-2016-6313 Information Exposure vulnerability in multiple products
The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.
network
low complexity
gnupg debian canonical CWE-200
5.3