CVE-2013-4351
gnupg2 - several
EPSS 1.3%
Description
GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.
How to fix CVE-2013-4351
To remediate CVE-2013-4351, upgrade the affected package to a fixed version below.
- Debian/gnupg—upgrade to 1.4.10-4+squeeze3 or later
- Debian/gnupg2—upgrade to 2.0.22-1 or later
- Debian/gnupg2—upgrade to 2.0.14-2+squeeze2 or later
Is CVE-2013-4351 being exploited?
Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.4.10-4+squeeze3
- from 0, < 2.0.22-1
- from 0, < 2.0.14-2+squeeze2