CVE-2003-0971

GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal type 20 (sign+encrypt) keys using the same key component for encryption as for signing, which allows attackers to determine the private key from a signature.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
ftp://patches.sgi.com/support/free/security/advisories/20040202-01-U.asc
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000798
http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html	Patch Vendor Advisory
http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000277.html	Patch
http://marc.info/?l=bugtraq&m=106995769213221&w=2
http://secunia.com/advisories/10304
http://secunia.com/advisories/10349
http://secunia.com/advisories/10399
http://secunia.com/advisories/10400
http://www.debian.org/security/2004/dsa-429
http://www.kb.cert.org/vuls/id/940388	US Government Resource
http://www.mandriva.com/security/advisories?name=MDKSA-2003:109
http://www.novell.com/linux/security/advisories/2003_048_gpg.html
http://www.redhat.com/support/errata/RHSA-2003-390.html
http://www.redhat.com/support/errata/RHSA-2003-395.html
http://www.securityfocus.com/bid/9115	Patch Vendor Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10982

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gnu:privacy_guard:1.0.2:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.0.3:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.0.3b:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.0.4:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.0.5:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.0.6:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.0.7:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.2:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.2.1:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.2.2:::::::*
	cpe:2.3:a:gnu:privacy_guard:1.2.2:rc1::::::
	cpe:2.3:a:gnu:privacy_guard:1.2.3:::::::*

History

No history.

Information

Published : 2003-12-15 05:00

Updated : 2017-10-11 01:29

NVD link : CVE-2003-0971

Mitre link : CVE-2003-0971

CVE.ORG link : CVE-2003-0971

JSON object : View

Products Affected

gnu

privacy_guard

CWE

NVD-CWE-Other

{"id": "CVE-2003-0971", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2003-12-15T05:00:00.000", "references": [{"url": "ftp://patches.sgi.com/support/free/security/advisories/20040202-01-U.asc", "source": "cve@mitre.org"}, {"url": "http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000798", "source": "cve@mitre.org"}, {"url": "http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000277.html", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://marc.info/?l=bugtraq&m=106995769213221&w=2", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/10304", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/10349", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/10399", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/10400", "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2004/dsa-429", "source": "cve@mitre.org"}, {"url": "http://www.kb.cert.org/vuls/id/940388", "tags": ["US Government Resource"], "source": "cve@mitre.org"}, {"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:109", "source": "cve@mitre.org"}, {"url": "http://www.novell.com/linux/security/advisories/2003_048_gpg.html", "source": "cve@mitre.org"}, {"url": "http://www.redhat.com/support/errata/RHSA-2003-390.html", "source": "cve@mitre.org"}, {"url": "http://www.redhat.com/support/errata/RHSA-2003-395.html", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/9115", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10982", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal type 20 (sign+encrypt) keys using the same key component for encryption as for signing, which allows attackers to determine the private key from a signature."}, {"lang": "es", "value": "GnuPG (GPG) 1.0.2 y otras versiones anteriores a 1.2.3 crea claves firma+cifra ElGamal usando el mismo componente para cifrado y para firma, lo que permite a atacantes determinar la clave privada a partir de una firma."}], "lastModified": "2017-10-11T01:29:16.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnu:privacy_guard:1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4DF7811A-B254-4829-AED2-C70BD5C82592"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72ED862B-6278-41ED-9619-115E6552AFBB"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.0.3b:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1869E888-E83C-4A62-AA84-F2C9F2AF12FB"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3D51820-D735-44FC-95BB-A473FFDE9D35"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5FB2C28-0E4D-4AE3-A2CC-0197FE578074"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.0.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F2224AF-EA7B-4A3D-8B23-7FC59D66E611"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.0.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A2B3B44-941E-4007-B58A-16E85B87CB33"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49A642D7-007E-479D-963E-A74AAE195A54"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86144B81-D321-4ECA-937F-FFA8A043FCE4"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.2.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A93CAE1-0DFC-43E1-997D-22CDC338D3E8"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.2.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9896332E-819B-4392-B704-B143DBBE90A7"}, {"criteria": "cpe:2.3:a:gnu:privacy_guard:1.2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B641ED5-4326-43E7-BF42-982B44478A05"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}