CVE-2020-8945

HIGH

gpgme < 0.1.1 - Use-After-Free in Proglottis Go Wrapper

Title source: llm
STIX 2.1

Description

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

References (11)

Core 11
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/proglottis/gpgme/pull/23
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1795838
Patch, Third Party Advisory x_refsource_misc
https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0679
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0689
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0697

Scores

CVSS v3 7.5
EPSS 0.0194
EPSS Percentile 83.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (19)
fedoraproject/fedora 30
fedoraproject/fedora 31
fedoraproject/fedora 32
gpgme_project/gpgme < 0.1.1
proglottis/gpgme 0 - 0.1.1Go
redhat/enterprise_linux_for_ibm_z_systems 7.0
redhat/enterprise_linux_for_power_little_endian 7.0
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_workstation 7.0
redhat/openshift_container_platform 3.11
... and 9 more
Published Feb 12, 2020
Tracked Since Feb 18, 2026