Vulnerability Description
A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnupg | Gnupg | < 2.2.18 |
| Fedoraproject | Fedora | 30 |
| Canonical | Ubuntu Linux | 18.04 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855Issue TrackingThird Party Advisory
- https://dev.gnupg.org/T4755Vendor Advisory
- https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.htmlMailing ListRelease NotesVendor Advisory
- https://rwc.iacr.org/2020/slides/Leurent.pdfExploitThird Party Advisory
- https://usn.ubuntu.com/4516-1/Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855Issue TrackingThird Party Advisory
- https://dev.gnupg.org/T4755Vendor Advisory
- https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.htmlMailing ListRelease NotesVendor Advisory
- https://rwc.iacr.org/2020/slides/Leurent.pdfExploitThird Party Advisory
- https://usn.ubuntu.com/4516-1/Third Party Advisory
FAQ
What is CVE-2019-14855?
CVE-2019-14855 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issu...
How severe is CVE-2019-14855?
CVE-2019-14855 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14855?
Check the references section above for vendor advisories and patch information. Affected products include: Gnupg Gnupg, Fedoraproject Fedora, Canonical Ubuntu Linux.