Vulnerability Description
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gpgme Project | Gpgme | < 0.1.1 |
| Redhat | Openshift Container Platform | 3.11 |
| Redhat | Openshift Container Platform For Ibm Z | 4.1 |
| Redhat | Openshift Container Platform For Linuxone | 4.1 |
| Redhat | Enterprise Linux | 7.0 |
| Fedoraproject | Fedora | 30 |
| Redhat | Enterprise Linux For Ibm Z Systems | 7.0 |
| Redhat | Enterprise Linux For Power Little Endian | 7.0 |
| Redhat | Enterprise Linux Server | 7.0 |
| Redhat | Enterprise Linux Workstation | 7.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2020:0679Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0689Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0697Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1795838Issue TrackingPatchThird Party Advisory
- https://github.com/containers/image/commit/4c7a23f82ef09127b0ff28366d1cf31316dd6PatchThird Party Advisory
- https://github.com/proglottis/gpgme/compare/v0.1.0...v0.1.1PatchThird Party Advisory
- https://github.com/proglottis/gpgme/pull/23ExploitPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://access.redhat.com/errata/RHSA-2020:0679Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0689Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0697Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1795838Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2020-8945?
CVE-2020-8945 is a vulnerability with a CVSS score of 7.5 (HIGH). The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code executio...
How severe is CVE-2020-8945?
CVE-2020-8945 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-8945?
Check the references section above for vendor advisories and patch information. Affected products include: Gpgme Project Gpgme, Redhat Openshift Container Platform, Redhat Openshift Container Platform For Ibm Z, Redhat Openshift Container Platform For Linuxone, Redhat Enterprise Linux.