MidnightBSD

Advisories for sks_keyserver_project

CVE-2014-3207 MEDIUM

Cross-site scripting (XSS) vulnerability in wserver.ml in SKS Keyserver before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to pks/lookup/undefined1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
sks_keyserver_project sks_keyserver 1.0.2
sks_keyserver_project sks_keyserver 1.1.3
sks_keyserver_project sks_keyserver 1.0.3
sks_keyserver_project sks_keyserver 0.1.3
sks_keyserver_project sks_keyserver *
sks_keyserver_project sks_keyserver 1.1.0
sks_keyserver_project sks_keyserver 0.1.2
sks_keyserver_project sks_keyserver 1.1.1
sks_keyserver_project sks_keyserver 0.1.1
sks_keyserver_project sks_keyserver 0.1.0
sks_keyserver_project sks_keyserver 1.0.5
sks_keyserver_project sks_keyserver 1.1.2
CVE-2019-13050 MEDIUM

Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
fedoraproject fedora 30
opensuse leap 15.0
f5 traffix_signaling_delivery_controller *
fedoraproject fedora 29
opensuse leap 15.1
sks_keyserver_project sks_keyserver *
gnupg gnupg *