CVE-2020-8945
Severity
7.5HIGH
EPSS
1.9%
top 16.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 12
Latest updateMay 18
Description
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9
Affected Packages6 packages
Also affects: Openshift Container Platform 3.11, 4.1, 4.2, 4.3, 4.4, 4.5, Fedora 30, 31, 32, Enterprise Linux 7.0
Patches
🔴Vulnerability Details
5📋Vendor Advisories
2💬Community
12Bugzilla▶
CVE-2020-8945 buildah: proglottis/gpgme: Use-after-free in GPGME bindings during container image pull [fedora-all]↗2020-02-17
Bugzilla▶
CVE-2020-8945 docker: proglottis/gpgme: Use-after-free in GPGME bindings during container image pull [openstack-rdo]↗2020-02-14
Bugzilla▶
CVE-2020-8945 cri-o:1.11/cri-o: proglottis/gpgme: Use-after-free in GPGME bindings during container image pull [fedora-all]↗2020-02-14
Bugzilla▶
CVE-2020-8945 docker: proglottis/gpgme: Use-after-free in GPGME bindings during container image pull [fedora-all]↗2020-02-14
Bugzilla▶
CVE-2020-8945 cri-o:1.14/cri-o: proglottis/gpgme: Use-after-free in GPGME bindings during container image pull [fedora-all]↗2020-02-14