CVE-2003-0255

Severity

99%

Complexity

99%

Confidentiality

165%

The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.

The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.

CVSS 2.0 Base Score 9.9. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C).

Overview

First reported 21 years ago

2003-05-27 04:00:00

Last updated 6 years ago

2018-05-03 01:29:00

Affected Software

GNU GNU Privacy Guard

References

CLA-2003:694

20030504 Key validity bug in GnuPG 1.2.1 and earlier

ESA-20030515-016

20030516 [OpenPKG-SA-2003.029] OpenPKG Security Advisory (gnupg)

20030522 [slackware-security] GnuPG key validation fix (SSA:2003-141-04)

VU#397604

US Government Resource

20030515-016

http://www.linuxsecurity.com/advisories/gentoo_advisory-3266.html

MDKSA-2003:061

4947

RHSA-2003:175

Patch, Vendor Advisory

RHSA-2003:176

7497

TLSA200334

gnupg-invalid-key-acceptance(11930)

oval:org.mitre.oval:def:135

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.