CVE-2020-8945

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

Published: Feb 12, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-8945
GHSA: GHSA-m6wg-2mwg-4rfq
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-416

Affected Software
References

Software	From	Fixed in
gpgme_project / gpgme	-	0.1.1
redhat / openshift_container_platform	3.11	3.11.x
redhat / openshift_container_platform	4.1	4.1.x
redhat / openshift_container_platform	4.2	4.2.x
redhat / openshift_container_platform	4.3	4.3.x
redhat / openshift_container_platform	4.4	4.4.x
redhat / openshift_container_platform	4.5	4.5.x
redhat / openshift_container_platform_for_ibm_z	4.1	4.1.x
redhat / openshift_container_platform_for_ibm_z	4.2	4.2.x
redhat / openshift_container_platform_for_linuxone	4.1	4.1.x
redhat / openshift_container_platform_for_linuxone	4.2	4.2.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
redhat / enterprise_linux_workstation	7.0	7.0.x
redhat / enterprise_linux_server	7.0	7.0.x
redhat / enterprise_linux_for_power_little_endian	7.0	7.0.x
redhat / enterprise_linux_for_ibm_z_systems	7.0	7.0.x
github.com/proglottis/gpgme	-	0.1.1

Vulnerability Database

289,599

CVE-2020-8945