CVE-2001-1016 — Corporate Desktop vulnerability

2 documents2 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PGP Corporate Desktop PGP E-business Server PGP Freeware +2 more

Timeline

PublishedSep 4

Latest updateApr 30

Description

PGP Corporate Desktop before 7.1, Personal Security before 7.0.3, Freeware before 7.0.3, and E-Business Server before 7.1 does not properly display when invalid userID's are used to sign a message, which could allow an attacker to make the user believe that the document has been signed by a trusted third party by adding a second, invalid user ID to a key which has already been signed by the third party, aka the "PGPsdk Key Validity Vulnerability."

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

▶NVDpgp/corporate_desktop7.1

▶NVDpgp/e-business_server6.5.8, 7.0.4, 7.1+2

▶NVDpgp/personal_security7.0.3

▶NVDpgp/freeware7.0.3

▶NVDpgp/pgp5.0, 6.0.2+1

Patches

Patch: www.pgp.com ↗Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-cg3c-pj78-hrh5: PGP Corporate Desktop before 7↗2022-04-30

▶