CVE-2010-3618

Severity

43%

Complexity

86%

Confidentiality

48%

PGP Desktop 10.0.x before 10.0.3 SP2 and 10.1.0 before 10.1.0 SP1 does not properly implement the "Decrypt/Verify File via Right-Click" functionality for multi-packet OpenPGP messages that represent multi-message input, which allows remote attackers to spoof signed data by concatenating an additional message to the end of a legitimately signed message, related to a "piggy-back" or "unsigned data injection" issue.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Overview

Type

PGP Desktop for

First reported 14 years ago

2010-11-22 13:00:00

Last updated 7 years ago

2017-08-17 01:33:00

Affected Software

PGP Desktop for Windows 10.0.0

10.0.0

PGP Desktop for Windows 10.0.1

10.0.1

PGP Desktop for Windows 10.0.2

10.0.2

PGP Desktop for Windows 10.0.3

10.0.3

PGP Desktop for Windows 10.1.0

10.1.0

PGP Desktop for Mac 10.0.0

10.0.0

PGP Desktop for Mac 10.0.1

10.0.1

PGP Desktop for Mac 10.0.2

10.0.2

PGP Desktop for Mac 10.0.3

10.0.3

PGP Desktop for Mac 10.1.0

10.1.0

References

42293

42307

http://www.cs.ru.nl/E.Verheul/papers/Govcert/Pretty%20Good%20Piggybagging%20v1.0.pdf

Exploit

VU#300785

US Government Resource

1024760

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101118_00

pgpdesktop-openpgp-security-bypass(63366)

https://pgp.custhelp.com/app/answers/detail/a_id/2290

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.