Vulnerability Name:

CVE-2021-3349

Assigned:2021-02-01
Published:2021-02-01
Updated:2021-02-08
Summary:** DISPUTED ** GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API.
Note: third parties dispute the significance of this issue, and dispute whether Evolution is the best place to change this behavior.
CVSS v3 Severity:3.3 Low (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-345
References:Source: MITRE
Type: CNA
CVE-2021-3349

Source: MISC
Type: Third Party Advisory
https://dev.gnupg.org/T4735

Source: MISC
Type: Third Party Advisory
https://gitlab.gnome.org/GNOME/evolution/-/issues/299

Source: MISC
Type: Exploit, Technical Description, Third Party Advisory
https://mgorny.pl/articles/evolution-uid-trust-extrapolation.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnome:evolution:*:*:*:*:*:*:*:* (Version <= 3.38.3)

    • * Denotes that component is vulnerable
    BACK
    gnome evolution *