CVE-2018-1000858 — Cross-Site Request Forgery in Gnupg

CWE-352 — Cross-Site Request Forgery9 documents8 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 57.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnupg Canonical Ubuntu Linux

Timeline

PublishedDec 20

Latest updateMay 14

Description

GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDgnupg/gnupg2.1.12 — 2.2.11

Also affects: Ubuntu Linux 18.04, 18.10

🔴Vulnerability Details

GHSA

GHSA-44cw-f8qw-mf2h: GnuPG version 2↗2022-05-14

▶

CVEList

CVE-2018-1000858: GnuPG version 2↗2018-12-20

▶

OSV

CVE-2018-1000858: GnuPG version 2↗2018-12-20

▶

📋Vendor Advisories

Ubuntu

GnuPG vulnerability↗2019-01-10

▶

Red Hat

gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service↗2018-11-23

▶

Debian

CVE-2018-1000858: gnupg1 - GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulner...↗2018

▶

💬Community

Bugzilla

CVE-2018-1000858 gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service [fedora-all]↗2019-01-07

▶

Bugzilla

CVE-2018-1000858 gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service↗2019-01-07

▶