CVE-2019-14855Inadequate Encryption Strength in Gnupg

CWE-326Inadequate Encryption StrengthCWE-328Use of Weak Hash12 documents10 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 43.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
RED HAT Gnupg2GnupgCanonical Ubuntu Linux+1 more
Timeline
PublishedMar 20
Latest updateOct 10

Description

A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDgnupg/gnupg< 2.2.18
Debianred_hat/gnupg2< 2.2.19-1+3
CVEListV5red_hat/gnupg22.2.18

Also affects: Fedora 30, 31, Ubuntu Linux 18.04

🔴Vulnerability Details

3
GHSA
GHSA-cpvm-f36g-55vg: A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm2022-05-24
CVEList
CVE-2019-14855: A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm2020-03-20
OSV
CVE-2019-14855: A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm2020-03-20

📋Vendor Advisories

4
CISA ICS
Rockwell Automation DataMosaix Private Cloud2024-10-10
Ubuntu
GnuPG vulnerability2020-09-17
Red Hat
gnupg2: OpenPGP Key Certification Forgeries with SHA-12020-01-09
Debian
CVE-2019-14855: gnupg1 - A flaw was found in the way certificate signatures could be forged using collisi...2019

📐Framework References

1
CWE
Use of Weak Hash

💬Community

3
Bugzilla
CVE-2019-14855 gnupg1: gnupg2: OpenPGP Key Certification Forgeries with SHA-1 [fedora-30]2020-03-20
Bugzilla
CVE-2019-14855 gnupg1: gnupg2: OpenPGP Key Certification Forgeries with SHA-1 [fedora-31]2020-03-20
Bugzilla
CVE-2019-14855 gnupg2: OpenPGP Key Certification Forgeries with SHA-12019-11-11