Vulnerability Details : CVE-2021-3349
Potential exploit
GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior
Products affected by CVE-2021-3349
- cpe:2.3:a:gnome:evolution:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3349
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-3349
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:N |
3.9
|
2.9
|
NIST | |
|
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
1.8
|
1.4
|
NIST |
CWE ids for CVE-2021-3349
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-3349
-
https://dev.gnupg.org/T4735
⚓ T4735 Please provide an option to make --verify accept only signatures from specific trusted UIDThird Party Advisory
-
https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html
Evolution: UID trust extrapolation attack on OpenPGP signaturesExploit;Technical Description;Third Party Advisory
-
https://gitlab.gnome.org/GNOME/evolution/-/issues/299
Potential vulnerability: gpg key trust extrapolation to new UIDs (#299) · Issues · GNOME / evolution · GitLabThird Party Advisory
Jump to