First published: Sat Aug 29 2020(Updated: )
The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Kleopatra Project Kleopatra | <20.07.80 | |
Fedoraproject Fedora | =32 | |
openSUSE Backports SLE | =15.0-sp1 | |
openSUSE Leap | =15.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-24972 is a vulnerability in the Kleopatra component of GnuPG that allows remote attackers to execute arbitrary code.
CVE-2020-24972 works by not safely handling command-line options for openpgp4fpr: URLs, allowing the Qt platformpluginpath command-line option to load an arbitrary DLL.
CVE-2020-24972 has a severity rating of 8.8, which is considered high.
Versions of Kleopatra before 3.1.12 and 20.07.80 for GnuPG are affected by CVE-2020-24972.
To fix CVE-2020-24972, it is recommended to update to version 3.1.12 or 20.07.80 of Kleopatra for GnuPG.