CVE-2020-24972 — HIGH (8.8)

Q: How severe is CVE-2020-24972?

CVE-2020-24972 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-24972?

Check the references section above for vendor advisories and patch information. Affected products include: Kleopatra Project Kleopatra, Fedoraproject Fedora, Opensuse Backports Sle, Opensuse Leap.

Vulnerability Description

The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Kleopatra Project	Kleopatra	< 20.07.80
Fedoraproject	Fedora	32
Opensuse	Backports Sle	15.0
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-116

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00053.htmlBroken LinkMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00064.htmlBroken LinkMailing ListThird Party Advisory
https://dev.gnupg.org/rKLEOPATRAb4bd63c1739900d94c04da03045e9445a5a5f54bPatchVendor Advisory
https://dev.gnupg.org/source/kleo/browse/master/CMakeLists.txtExploitVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202008-21Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00053.htmlBroken LinkMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00064.htmlBroken LinkMailing ListThird Party Advisory
https://dev.gnupg.org/rKLEOPATRAb4bd63c1739900d94c04da03045e9445a5a5f54bPatchVendor Advisory
https://dev.gnupg.org/source/kleo/browse/master/CMakeLists.txtExploitVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202008-21Third Party Advisory

FAQ

What is CVE-2020-24972?

CVE-2020-24972 is a vulnerability with a CVSS score of 8.8 (HIGH). The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line op...

How severe is CVE-2020-24972?

CVE-2020-24972 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-24972?

Check the references section above for vendor advisories and patch information. Affected products include: Kleopatra Project Kleopatra, Fedoraproject Fedora, Opensuse Backports Sle, Opensuse Leap.