First published: Fri Jul 01 2022(Updated: )
GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/gnupg2 | 2.2.12-1+deb10u2 2.2.27-2+deb11u2 2.2.40-1.1 | |
Gnupg Gnupg | <=2.3.6 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Netapp Active Iq Unified Manager Vmware Vsphere | ||
NetApp ONTAP Select Deploy administration utility |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-34903 is a vulnerability in GnuPG through version 2.3.6 that allows signature forgery through injection into the status line.
The severity of CVE-2022-34903 is medium with a CVSS score of 6.5.
GnuPG versions up to and including 2.3.6 are affected by CVE-2022-34903.
In unusual situations where the attacker possesses secret-key information from a victim's keyring and other constraints are met, they can exploit CVE-2022-34903 to forge signatures via injection into the status line.
Yes, Debian has released patches for the affected versions of GnuPG (gnupg2). Users should update to version 2.2.12-1+deb10u2, 2.2.27-2+deb11u2, or 2.2.40-1.1 to fix CVE-2022-34903.