CVE-2020-8945 : The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-fre

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

Published 2020-02-12 18:15:10

Updated 2022-10-18 17:59:20

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Products affected by CVE-2020-8945

Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Power Little Endian » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Ibm Z Systems » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Container Platform » Version: 4.1
cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform » Version: 3.11
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform » Version: 4.2
cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform » Version: 4.3
cpe:2.3:a:redhat:openshift_container_platform:4.3:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform » Version: 4.4
cpe:2.3:a:redhat:openshift_container_platform:4.4:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform » Version: 4.5
cpe:2.3:a:redhat:openshift_container_platform:4.5:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform For Ibm Z » Version: 4.2
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.2:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform For Ibm Z » Version: 4.1
cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.1:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform For Linuxone » Version: 4.2
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.2:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Redhat » Openshift Container Platform For Linuxone » Version: 4.1
cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.1:*:*:*:*:*:*:*
Matching versions
When used together with: Redhat » Enterprise Linux » Version: 7.0
When used together with: Redhat » Enterprise Linux » Version: 8.0
Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 30
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Matching versions
Gpgme Project » Gpgme » For GO
Versions before (<) 0.1.1
cpe:2.3:a:gpgme_project:gpgme:*:*:*:*:*:go:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-8945

EPSS FAQ

4.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 88 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-8945

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.1	MEDIUM	AV:N/AC:H/Au:N/C:P/I:P/A:P	4.9	6.4	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H	1.6	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-8945

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-8945

https://bugzilla.redhat.com/show_bug.cgi?id=1795838

1795838 – (CVE-2020-8945) CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
Issue Tracking;Patch;Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0689

RHSA-2020:0689 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0697

RHSA-2020:0697 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1

Comparing v0.1.0...v0.1.1 · proglottis/gpgme · GitHub
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KDBT77KV3U7BESJX3P4S4MPVDGRTAQA2/

[SECURITY] Fedora 30 Update: skopeo-0.1.41-1.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SOCLOPTSYABTE4CLTSPDIFE6ZZZR4LX/

Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6cc1

Update to github.com/mtrmac/gpgme@v0.1.1 · containers/image@4c7a23f · GitHub
Patch;Third Party Advisory
https://github.com/proglottis/gpgme/pull/23

Ensure finalizers don't deallocate GPGME objects while C code is still using them by mtrmac · Pull Request #23 · proglottis/gpgme · GitHub
Exploit;Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H6P6SSNKN4H6GSEVROHBDXA64PX7EOED/

[SECURITY] Fedora 31 Update: skopeo-0.1.41-1.fc31 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0679

RHSA-2020:0679 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXV7NZELYWRRCXATXU3FYD3G3WJT3WYM/

[SECURITY] Fedora 30 Update: podman-1.8.0-4.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-8945

Products affected by CVE-2020-8945

Exploit prediction scoring system (EPSS) score for CVE-2020-8945

CVSS scores for CVE-2020-8945

CWE ids for CVE-2020-8945

References for CVE-2020-8945