Home > Vulnerability Database > CVE-2018-12020

Mend.io Vulnerability Database

CVE-2018-12020

Good to know:

Date: June 8, 2018

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

Language: C

Severity Score

7.5

Related Resources (26)

Url: http://www.securitytracker.com/id/1041051

Url: https://www.debian.org/security/2018/dsa-4224

Url: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

Url: https://www.debian.org/security/2018/dsa-4222

Url: https://www.debian.org/security/2018/dsa-4223

Url: https://usn.ubuntu.com/3675-1/

Url: https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html

Url: https://usn.ubuntu.com/3675-3/

Url: https://access.redhat.com/errata/RHSA-2018:2180

Url: https://access.redhat.com/errata/RHSA-2018:2181

Url: https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf

Url: https://security-tracker.debian.org/tracker/CVE-2018-12020

Url: https://usn.ubuntu.com/3964-1/

Url: http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html

Url: https://github.com/RUB-NDS/Johnny-You-Are-Fired

Url: http://www.openwall.com/lists/oss-security/2019/04/30/4

Url: http://www.securityfocus.com/bid/104450

Url: https://access.redhat.com/security/cve/CVE-2018-12020

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-12020

Url: https://dev.gnupg.org/T4012

Url: https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2018-12020

Url: https://usn.ubuntu.com/3675-2/

Url: http://openwall.com/lists/oss-security/2018/06/08/2

Url: http://seclists.org/fulldisclosure/2019/Apr/38

Url: https://www.mend.io/vulnerability-database/CVE-2018-12020

Severity Score

7.5

Weakness Type (CWE)

Data Handling

CWE-19

Use of Incorrectly-Resolved Name or Reference

CWE-706

Top Fix

Upgrade Version

Upgrade to version GnuPG - 1.4.23,2.2.8

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-12020

Good to know:

Date: June 8, 2018

Language: C

Severity Score

Related Resources (26)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?