CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
85.5%
Gnu Privacy Guard (GnuPG) is a cryptographic utility used to generate cryptographic keys and perform other cryptographic functions. A vulnerability in the way GnuPG generates ElGamal keys has been discovered. This vulnerability renders ElGamal signing key untrustworthy.
A vulnerability in the algorithm to generate ElGamal sign+encrypt keys can permit an attacker to generate valid signatures without access to the private key. This vulnerability does not affect encrypt-only (type 16) ElGamal keys, only the ElGamal sign+encrypt key (type 20) when used to make a signature with a GnuPG version 1.0.2 or later.
A remote attacker can generate a valid signature without access to the private key.
Revoke your ElGamal signing keys. GnuPG has released a patch for version 1.2.3 or you can upgrade to version 1.2.4 or later.
940388
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: December 29, 2003
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see the GnuPG advisory at <http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23940388 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Werner Koch for his advisory on this issue, and Phong Nguyen for reporting this vulnerability.
This document was written by Jason A Rafail.
CVE IDs: | CVE-2003-0971 |
---|---|
Severity Metric: | 6.33 Date Public: |