CVE-2022-34903

MEDIUM

GnuPG < 2.3.6 - Signature Forgery via Status Line Injection

Title source: llm
STIX 2.1

Description

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

References (10)

Core 10
Core References
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2022/06/30/1
Issue Tracking, Mailing List, Patch, Third Party Advisory x_refsource_misc
https://bugs.debian.org/1014157
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://dev.gnupg.org/T6027
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/07/02/1
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2022/dsa-5174
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220826-0005/

Scores

CVSS v3 6.5
EPSS 0.0150
EPSS Percentile 81.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Details

CWE
CWE-74
Status published
Products (7)
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 35
fedoraproject/fedora 36
gnupg/gnupg < 2.3.6
netapp/active_iq_unified_manager
netapp/ontap_select_deploy_administration_utility
Published Jul 01, 2022
Tracked Since Feb 18, 2026