CVE-2022-3515: Integer Overflow
First published: Mon Oct 17 2022(Updated: )
A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gnupg Libksba | <1.6.3 | |
| Gpg4win Gpg4win | >=2.0.0<4.1.0 | |
| Gnupg Vs-desktop | >=3.1.16<3.1.26 | |
| Gnupg Gnupg | >=2.1.0<2.2.41 | |
| Gnupg Gnupg | >=2.3.0<2.4.0 | |
| redhat/libksba | <0:1.3.0-6.el7_9 | 0:1.3.0-6.el7_9 |
| redhat/libksba | <0:1.3.5-8.el8_6 | 0:1.3.5-8.el8_6 |
| redhat/libksba | <0:1.3.5-8.el8_1 | 0:1.3.5-8.el8_1 |
| redhat/libksba | <0:1.3.5-8.el8_2 | 0:1.3.5-8.el8_2 |
| redhat/libksba | <0:1.3.5-8.el8_4 | 0:1.3.5-8.el8_4 |
| redhat/libksba | <0:1.5.1-5.el9_0 | 0:1.5.1-5.el9_0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2022-3515
- https://bugzilla.redhat.com/show_bug.cgi?id=2135610
- https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b
- https://security.netapp.com/advisory/ntap-20230706-0008/
- https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
- https://www.cve.org/CVERecord?id=CVE-2022-3515 https://nvd.nist.gov/vuln/detail/CVE-2022-3515 https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
- https://access.redhat.com/errata/RHSA-2022:7088
- https://access.redhat.com/errata/RHSA-2022:7089
- https://access.redhat.com/errata/RHSA-2022:7209
- https://access.redhat.com/errata/RHSA-2022:7283
- https://access.redhat.com/errata/RHSA-2022:7927
- https://access.redhat.com/errata/RHSA-2022:7090
- https://access.redhat.com/errata/RHSA-2022:8598
- https://access.redhat.com/security/cve/cve-2022-3515
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this Libksba vulnerability?
The vulnerability ID for this Libksba vulnerability is CVE-2022-3515.
What is the severity of CVE-2022-3515?
The severity of CVE-2022-3515 is critical (9.8).
How does the vulnerability in the Libksba library occur?
The vulnerability in the Libksba library occurs due to an integer overflow within the CRL parser.
How can the vulnerability in Libksba be exploited?
The vulnerability in Libksba can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
Where can I find more information about CVE-2022-3515?
You can find more information about CVE-2022-3515 at the following references: [link1](https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html), [link2](https://dev.gnupg.org/T6230), [link3](https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/references
- agent/softwarecombine
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-3515
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/gnupg
- canonical/gnupg libksba
- vendor/gpg4win
- canonical/gpg4win gpg4win
- version/gpg4win gpg4win/2.0.0
- canonical/gnupg vs-desktop
- version/gnupg vs-desktop/3.1.16
- canonical/gnupg gnupg
- version/gnupg gnupg/2.1.0
- version/gnupg gnupg/2.3.0