MidnightBSD

Advisories for gpgme_project

CVE-2020-8945 MEDIUM

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
redhat openshift_container_platform 4.2
redhat enterprise_linux_server 7.0
redhat openshift_container_platform_for_ibm_z 4.2
redhat enterprise_linux_workstation 7.0
gpgme_project gpgme *
redhat openshift_container_platform 3.11
redhat openshift_container_platform 4.3
redhat openshift_container_platform 4.4
redhat openshift_container_platform 4.1
redhat openshift_container_platform_for_linuxone 4.2
fedoraproject fedora 30
redhat openshift_container_platform 4.5
fedoraproject fedora 32
redhat enterprise_linux_for_ibm_z_systems 7.0
redhat openshift_container_platform_for_ibm_z 4.1
fedoraproject fedora 31
redhat enterprise_linux_for_power_little_endian 7.0
redhat openshift_container_platform_for_linuxone 4.1