Vulnerability Details : CVE-2018-12020
Potential exploit
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Products affected by CVE-2018-12020
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-12020
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12020
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-12020
-
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-12020
-
https://www.debian.org/security/2018/dsa-4222
Debian -- Security Information -- DSA-4222-1 gnupg2Third Party Advisory
-
http://www.securitytracker.com/id/1041051
GnuPG Filename Input Validation Flaw Lets Remote Users Spoof Status Messages - SecurityTrackerBroken Link
-
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
Johnny You Are Fired ≈ Packet StormThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html
[SECURITY] [DLA 2862-1] python-gnupg security updateMailing List;Third Party Advisory
-
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
Security fixes in StruxureWare Data Center Expert v7.6.0 - User assistance for StruxureWare Data Center Expert 7.x - Help Center: Support for EcoStruxure IT, StruxureWare for Data Centers, and NetBotzThird Party Advisory
-
http://seclists.org/fulldisclosure/2019/Apr/38
Full Disclosure: OpenPGP and S/MIME signature forgery attacks in multiple email clientsMailing List;Third Party Advisory
-
https://usn.ubuntu.com/3675-1/
USN-3675-1: GnuPG vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://openwall.com/lists/oss-security/2018/06/08/2
oss-security - CVE-2018-12020 in GnuPGMailing List;Third Party Advisory
-
https://github.com/RUB-NDS/Johnny-You-Are-Fired
GitHub - RUB-NDS/Johnny-You-Are-Fired: Artifacts for the USENIX publication.Technical Description;Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4224
Debian -- Security Information -- DSA-4224-1 gnupgThird Party Advisory
-
https://usn.ubuntu.com/3964-1/
USN-3964-1: python-gnupg vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4223
Debian -- Security Information -- DSA-4223-1 gnupg1Third Party Advisory
-
https://usn.ubuntu.com/3675-2/
USN-3675-2: GnuPG 2 vulnerability | Ubuntu security noticesThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/04/30/4
oss-security - Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)Mailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2180
RHSA-2018:2180 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://dev.gnupg.org/T4012
⚓ T4012 Diagnostic is shown with the original filename not being sanitized.Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/104450
GnuPG CVE-2018-12020 Security Bypass VulnerabilityBroken Link
-
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
Johnny-You-Are-Fired/johnny-fired.pdf at master · RUB-NDS/Johnny-You-Are-Fired · GitHubTechnical Description;Third Party Advisory
-
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
[Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020)Mailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2181
RHSA-2018:2181 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://usn.ubuntu.com/3675-3/
USN-3675-3: GnuPG vulnerability | Ubuntu security noticesThird Party Advisory
Jump to