CVE-2013-4351

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
VendorProductVersion
gnupggnupg
1.4.0
gnupggnupg
1.4.2
gnupggnupg
1.4.3
gnupggnupg
1.4.4
gnupggnupg
1.4.5
gnupggnupg
1.4.6
gnupggnupg
1.4.8
gnupggnupg
1.4.10
gnupggnupg
1.4.11
gnupggnupg
1.4.12
gnupggnupg
1.4.13
gnupggnupg
2.0
gnupggnupg
2.0.1
gnupggnupg
2.0.3
gnupggnupg
2.0.4
gnupggnupg
2.0.5
gnupggnupg
2.0.6
gnupggnupg
2.0.7
gnupggnupg
2.0.8
gnupggnupg
2.0.10
gnupggnupg
2.0.11
gnupggnupg
2.0.12
gnupggnupg
2.0.13
gnupggnupg
2.0.14
gnupggnupg
2.0.15
gnupggnupg
2.0.16
gnupggnupg
2.0.17
gnupggnupg
2.0.18
gnupggnupg
2.0.19
gnupggnupg
2.1.0:beta1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnupg2
bullseye (security)
2.2.27-2+deb11u2
fixed
bullseye
2.2.27-2+deb11u2
fixed
bookworm
2.2.40-1.1
fixed
trixie
2.2.44-1
fixed
sid
2.2.45-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnupg
raring
Fixed 1.4.12-7ubuntu1.2
released
quantal
Fixed 1.4.11-3ubuntu4.3
released
precise
Fixed 1.4.11-3ubuntu2.4
released
lucid
Fixed 1.4.10-2ubuntu1.4
released
gnupg2
raring
Fixed 2.0.19-2ubuntu1.1
released
quantal
Fixed 2.0.17-2ubuntu3.2
released
precise
Fixed 2.0.17-2ubuntu2.12.04.3
released
lucid
ignored
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html
http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html
http://rhn.redhat.com/errata/RHSA-2013-1459.html
http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138
http://ubuntu.com/usn/usn-1987-1
http://www.debian.org/security/2013/dsa-2773
http://www.debian.org/security/2013/dsa-2774
http://www.openwall.com/lists/oss-security/2013/09/13/4
https://bugzilla.redhat.com/show_bug.cgi?id=1010137
http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html
http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html
http://rhn.redhat.com/errata/RHSA-2013-1459.html
http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138
http://ubuntu.com/usn/usn-1987-1
http://www.debian.org/security/2013/dsa-2773
http://www.debian.org/security/2013/dsa-2774
http://www.openwall.com/lists/oss-security/2013/09/13/4
https://bugzilla.redhat.com/show_bug.cgi?id=1010137