CVE-2022-3219

EUVD-2022-42633
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA-ADPADP
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
gnupggnupg
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnupg2
bookworm
unimportant
bullseye
unimportant
bullseye (security)
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnupg
bionic
dne
focal
dne
jammy
dne
trusty
deferred
xenial
deferred
gnupg2
bionic
deferred
focal
deferred
jammy
deferred
kinetic
ignored
lunar
ignored
mantic
ignored
noble
deferred
trusty
ignored
xenial
deferred
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2022-3219
https://bugzilla.redhat.com/show_bug.cgi?id=2127010
https://dev.gnupg.org/D556
https://dev.gnupg.org/T5993
https://marc.info/?l=oss-security&m=165696590211434&w=4
https://security.netapp.com/advisory/ntap-20230324-0001/
https://access.redhat.com/security/cve/CVE-2022-3219
https://bugzilla.redhat.com/show_bug.cgi?id=2127010
https://dev.gnupg.org/D556
https://dev.gnupg.org/T5993
https://marc.info/?l=oss-security&m=165696590211434&w=4
https://security.netapp.com/advisory/ntap-20230324-0001/