CVE-2021-3349

EUVD-2021-26680
GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NOTE: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
Affected Products (NVD)
VendorProductVersion
gnomeevolution
𝑥
≤ 3.38.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
evolution
bookworm
unimportant
bullseye
unimportant
bullseye (security)
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
evolution
bionic
not-affected
focal
not-affected
groovy
ignored
hirsute
ignored
impish
ignored
jammy
not-affected
kinetic
ignored
lunar
ignored
mantic
ignored
noble
not-affected
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://dev.gnupg.org/T4735
https://gitlab.gnome.org/GNOME/evolution/-/issues/299
https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html
https://dev.gnupg.org/T4735
https://gitlab.gnome.org/GNOME/evolution/-/issues/299
https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html