OpenSUSE Linux update for gpg2

Published: 2019-01-13 12:22:44 | Updated: 2019-01-13
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-1000858
CVSSv3 4.4 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CWE ID CWE-352
Exploitation vector Network
Public exploit N/A
Vulnerable software Opensuse
Vulnerable software versions Opensuse 15.0
Vendor URL Novell

Security Advisory

1) Cross-site request forgery

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin within dirmngr. A remote attacker can trick the victim to perform a WKD request (enter an email address in the composer window of Thunderbird/Enigmail) and perform arbitrary actions on behalf of the victim.

Remediation

Update the affected packages.

External links

https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00009.html

Back to List