Lucene search

K
cveMitreCVE-2020-8945
HistoryFeb 12, 2020 - 6:15 p.m.

CVE-2020-8945

2020-02-1218:15:10
CWE-416
mitre
web.nvd.nist.gov
150
3
proglottis
go wrapper
gpgme library
use-after-free
container image pulls
docker
cri-o
crash
code execution
gpg signature verification
cve-2020-8945

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.012

Percentile

85.0%

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

Affected configurations

Nvd
Node
gpgme_projectgpgmeRange<0.1.1go
Node
redhatopenshift_container_platformMatch3.11
OR
redhatopenshift_container_platformMatch4.1
OR
redhatopenshift_container_platformMatch4.2
OR
redhatopenshift_container_platformMatch4.3
OR
redhatopenshift_container_platformMatch4.4
OR
redhatopenshift_container_platformMatch4.5
OR
redhatopenshift_container_platform_for_ibm_zMatch4.1
OR
redhatopenshift_container_platform_for_ibm_zMatch4.2
OR
redhatopenshift_container_platform_for_linuxoneMatch4.1
OR
redhatopenshift_container_platform_for_linuxoneMatch4.2
AND
redhatenterprise_linuxMatch7.0
OR
redhatenterprise_linuxMatch8.0
Node
fedoraprojectfedoraMatch30
OR
fedoraprojectfedoraMatch31
OR
fedoraprojectfedoraMatch32
Node
redhatenterprise_linux_for_ibm_z_systemsMatch7.0
OR
redhatenterprise_linux_for_power_little_endianMatch7.0
OR
redhatenterprise_linux_serverMatch7.0
OR
redhatenterprise_linux_workstationMatch7.0
Node
redhatopenshift_container_platformMatch3.11
VendorProductVersionCPE
gpgme_projectgpgme*cpe:2.3:a:gpgme_project:gpgme:*:*:*:*:*:go:*:*
redhatopenshift_container_platform3.11cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
redhatopenshift_container_platform4.1cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
redhatopenshift_container_platform4.2cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*
redhatopenshift_container_platform4.3cpe:2.3:a:redhat:openshift_container_platform:4.3:*:*:*:*:*:*:*
redhatopenshift_container_platform4.4cpe:2.3:a:redhat:openshift_container_platform:4.4:*:*:*:*:*:*:*
redhatopenshift_container_platform4.5cpe:2.3:a:redhat:openshift_container_platform:4.5:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_ibm_z4.1cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.1:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_ibm_z4.2cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.2:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_linuxone4.1cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.1:*:*:*:*:*:*:*
Rows per page:
1-10 of 201

References

Social References

More

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.012

Percentile

85.0%