5.8 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.015 Low
EPSS
Percentile
85.5%
The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. (CVE-2014-4617)
Impact
ARX
This vulnerability is exposed when using the Auto Diagnostics feature.
BIG-IP
GNU Privacy Guard (GnuPG) is not used in traffic processing. GnuPG is used only in administrative functions on the BIG-IP system, such as encryption of user configuration set (UCS) and single configuration files (SCF), and verification of ISOs and ASM signatures, which are not affected by this vulnerability. An authenticated (root) user with advanced shell access could upload a specially crafted file and execute** gpg** manually to trigger this vulnerability.
F5 iWorkflow, BIG-IQ, and Enterprise Manager
An authenticated user with advanced shell access could be able to exploit this vulnerability by executing** gpg** manually.
CPE | Name | Operator | Version |
---|---|---|---|
big-ip afm | eq | 11.4.0 | |
big-ip afm | eq | 11.4.1 | |
big-ip afm | eq | 11.5.0 | |
big-ip afm | eq | 11.5.1 | |
big-ip afm | eq | 11.5.2 | |
big-ip afm | eq | 11.5.3 | |
big-ip afm | eq | 11.5.4 | |
big-ip afm | eq | 11.5.5 | |
big-ip afm | eq | 11.5.6 | |
big-ip afm | eq | 11.6.0 |