Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-8945

Опубликовано: 16 янв. 2020
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

A use-after-free vulnerability was found in the Go GPGME wrapper library, github.com/proglottis/gpgme. An attacker could use this flaw to crash or cause potential code execution in Go applications that use this library, under certain conditions, during GPG signature verification.

Отчет

OpenShift 3.11 consumes updates for podman from the RHEL-7 extras channel, hence why it has been marked as wontfix in this instance.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Tower 3openshift-clientsNot affected
Red Hat Enterprise Linux 8container-tools:1.0/buildahWill not fix
Red Hat Enterprise Linux 8container-tools:1.0/podmanOut of support scope
Red Hat Enterprise Linux 8container-tools:1.0/skopeoOut of support scope
Red Hat Enterprise Linux 8container-tools:2.0/buildahWill not fix
Red Hat Enterprise Linux 8container-tools:2.0/podmanAffected
Red Hat Enterprise Linux 8container-tools:2.0/skopeoAffected
Red Hat Enterprise Linux 8container-tools:rhel8/buildahWill not fix
Red Hat Enterprise Linux 8container-tools:rhel8/podmanAffected
Red Hat Enterprise Linux 8container-tools:rhel8/skopeoAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-416
https://bugzilla.redhat.com/show_bug.cgi?id=1795838proglottis/gpgme: Use-after-free in GPGME bindings during container image pull

EPSS

Процентиль: 88%
0.04013
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-8945

CVSS3: 7.5
ubuntu
больше 5 лет назад

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

nvd логотип

CVE-2020-8945

CVSS3: 7.5
nvd
больше 5 лет назад

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.

debian логотип

CVE-2020-8945

CVSS3: 7.5
debian
больше 5 лет назад

The proglottis Go wrapper before 0.1.1 for the GPGME library has a use ...

github логотип

GHSA-m6wg-2mwg-4rfq

CVSS3: 7.5
github
около 4 лет назад

GPGME Go wrapper contains Use After Free

oracle-oval логотип

ELSA-2020-1230

oracle-oval
около 5 лет назад

ELSA-2020-1230: skopeo security and bug fix update (MODERATE)

EPSS

Процентиль: 88%
0.04013
Низкий

7.5 High

CVSS3

Уязвимость CVE-2020-8945