Main Vulnerability Database SB2020083107

SB2020083107 - Remote code execution in Kleopatra

Published: August 31, 2020

Security Bulletin ID SB2020083107

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Insecure DLL loading (CVE-ID: CVE-2020-24972)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to topenpgp4fpr: URLs are supported without safe handling of command-line options. A remote attacker can trick a victim to process a specially crafted URL via "openpgp4fpr" handler and execute arbitrary code on victim's system.

Remediation

Install update from vendor's website.

References

https://dev.gnupg.org/rKLEOPATRAb4bd63c1739900d94c04da03045e9445a5a5f54b
https://dev.gnupg.org/source/kleo/browse/master/CMakeLists.txt
https://security.gentoo.org/glsa/202008-21