Vulnerability Name:

CVE-2020-24972 (CCN-187538)

Assigned:2020-08-29
Published:2020-08-29
Updated:2022-11-16
Summary:The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-116
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2020-24972

Source: SUSE
Type: Broken Link, Mailing List, Third Party Advisory
openSUSE-SU-2020:1723

Source: SUSE
Type: Broken Link, Mailing List, Third Party Advisory
openSUSE-SU-2020:1754

Source: MISC
Type: Patch, Vendor Advisory
https://dev.gnupg.org/rKLEOPATRAb4bd63c1739900d94c04da03045e9445a5a5f54b

Source: MISC
Type: Exploit, Vendor Advisory
https://dev.gnupg.org/source/kleo/browse/master/CMakeLists.txt

Source: CCN
Type: GnuPG Web site
Kleopatra

Source: XF
Type: UNKNOWN
kleopatra-cve202024972-code-exec(187538)

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-9b441d3153

Source: CCN
Type: GLSA 202008-21
Kleopatra: Remote code execution

Source: GENTOO
Type: Third Party Advisory
GLSA-202008-21

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-24972

Vulnerable Configuration:Configuration 1:
  • cpe:/a:kleopatra_project:kleopatra:*:*:*:*:*:gnupg:*:* (Version < 20.07.80)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*
  • OR cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:202024972
    V
    		CVE-2020-24972
    2021-10-24
    oval:org.opensuse.security:def:64574
    P
    		Security update for wireshark (Moderate)
    2021-09-13
    oval:org.opensuse.security:def:62729
    P
    		NetworkManager-1.22.10-3.7.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63525
    P
    		NetworkManager-applet-1.8.10-3.39 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:74640
    P
    		Security update for the Linux Kernel (Important)
    2021-06-08
    oval:org.opensuse.security:def:64462
    P
    		Security update for fwupdate (Important)
    2021-04-08
    oval:org.opensuse.security:def:62906
    P
    		libtidy-devel-5.4.0-1.34 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62705
    P
    		libvdpau-devel-1.1.1-1.28 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63185
    P
    		squid-4.0.23-3.47 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62706
    P
    		libvpx-devel-1.6.1-6.6.8 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63387
    P
    		apache-commons-beanutils-1.9.2-2.46 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:100251
    P
    		 (Important)
    2020-12-02
    oval:org.opensuse.security:def:64318
    P
    		libbluetooth3 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:74514
    P
    		Security update for webkit2gtk3 (Important)
    2020-12-01
    oval:org.opensuse.security:def:63751
    P
    		Security update for java-1_7_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:64420
    P
    		opensc on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64078
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:64212
    P
    		audit-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:93538
    P
    		Security update for kleopatra (Moderate)
    2020-10-28
    oval:org.opensuse.security:def:110264
    P
    		Security update for kleopatra (Moderate)
    2020-10-24
    BACK
    kleopatra_project kleopatra *
    fedoraproject fedora 32
    opensuse leap 15.1
    opensuse backports sle 15.0 sp1