CVE-2018-1000885

CRITICAL

phkp - OS Command Injection via HKP-Api Lookup Parameter

Title source: llm
STIX 2.1

Description

PHKP version including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b contains a Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in function pgp_exec() phkp.php:98 that can result in It is possible to manipulate gpg-keys or execute commands remotely. This attack appear to be exploitable via HKP-Api: /pks/lookup?search.

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0322
EPSS Percentile 86.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
phkp_project/phkp
Published Dec 20, 2018
Tracked Since Feb 18, 2026