CVE-2013-4351

Published: Oct 10, 2013Modified: Apr 29, 2026

5.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability: 8.6 / Impact: 4.9

Source: NVD

Description

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.

Affected (30)

Products: Gnupg: Gnupg

1 product

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Gnupg Gnupg	Version 1.4.0
Gnupg Gnupg	Version 1.4.10
Gnupg Gnupg	Version 1.4.11
Gnupg Gnupg	Version 1.4.12
Gnupg Gnupg	Version 1.4.13
Gnupg Gnupg	Version 1.4.2
Gnupg Gnupg	Version 1.4.3
Gnupg Gnupg	Version 1.4.4
Gnupg Gnupg	Version 1.4.5
Gnupg Gnupg	Version 1.4.6
Gnupg Gnupg	Version 1.4.8

Configuration B

18 vulnerable

Vulnerable Software	Affected Versions
Gnupg Gnupg	Version 2.0.10
Gnupg Gnupg	Version 2.0.11
Gnupg Gnupg	Version 2.0.12
Gnupg Gnupg	Version 2.0.13
Gnupg Gnupg	Version 2.0.14
Gnupg Gnupg	Version 2.0.15
Gnupg Gnupg	Version 2.0.16
Gnupg Gnupg	Version 2.0.17
Gnupg Gnupg	Version 2.0.18
Gnupg Gnupg	Version 2.0.19
Gnupg Gnupg	Version 2.0.1
Gnupg Gnupg	Version 2.0.3
Gnupg Gnupg	Version 2.0.4
Gnupg Gnupg	Version 2.0.5
Gnupg Gnupg	Version 2.0.6
Gnupg Gnupg	Version 2.0.7
Gnupg Gnupg	Version 2.0.8
Gnupg Gnupg	Version 2.0

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Gnupg Gnupg	Version 2.1.0 beta1

Related CWEs

References (18)

http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2013-1459.html

Source: secalert@redhat.com

http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138

Source: secalert@redhat.com

http://ubuntu.com/usn/usn-1987-1

Source: secalert@redhat.com

http://www.debian.org/security/2013/dsa-2773

Source: secalert@redhat.com

http://www.debian.org/security/2013/dsa-2774

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2013/09/13/4

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1010137

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-1459.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138

Source: af854a3a-2127-422b-91ae-364da2661108

http://ubuntu.com/usn/usn-1987-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2013/dsa-2773

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2013/dsa-2774

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2013/09/13/4

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=1010137

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.