7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
github.com/proglottis/gpgme is vulnerable to use-after-free. The attack is possible because it allows malicious use for container image pulls by Docker or CRI-O, leading to an application crash or arbitrary code execution during GPG signature verification.
access.redhat.com/errata/RHSA-2020:0679
access.redhat.com/errata/RHSA-2020:0689
access.redhat.com/errata/RHSA-2020:0697
bugzilla.redhat.com/show_bug.cgi?id=1795838
github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1
github.com/proglottis/gpgme/commit/d575e5df6a8359a0ad12f59a8377d362c3eb6afd
github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1
github.com/proglottis/gpgme/pull/23
lists.fedoraproject.org/archives/list/[email protected]/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/
lists.fedoraproject.org/archives/list/[email protected]/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/
lists.fedoraproject.org/archives/list/[email protected]/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/
lists.fedoraproject.org/archives/list/[email protected]/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P