CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
83.8%
Interaction between the sks-keyserver code through 1.2.0 of the SKS
keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG
keyserver configuration line referring to a host on the SKS keyserver
network. Retrieving data from this network may cause a persistent denial of
service, because of a Certificate Spamming Attack.
Author | Note |
---|---|
mdeslaur | this is a weakness in the PGP keyserver design. |
alexmurray | gnupg upstream has 2 mitigations for this - firstly, don’t import key signatures by default anymore, and to fallback to only import self-signatures on very large keyblocks |
mdeslaur | as of 2020-01-06, there is no ideal fix for this issue marking this CVE as deferred until a complete fix is available |
sbeattie | gnupg mitigations landed in upstream in 2.2.17 with important fixes in 2.2.18 2.2.19-3ubuntu1 introduced a debian/ubuntu specific change to use keys.openpgp.org as the default keyserver any backports to address this issue will be complex and introduce changes in behavior sks in debian introduced very basic filtering in 1.1.6+git20210302.c3ba6d5a-1 |
rodrigo-zaiden | as of 2022-03-22, there is no upstream backport for gnupg 1.4 series. Backporting from 2.2 is too risky. |
gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
launchpad.net/bugs/cve/CVE-2019-13050
lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html
nvd.nist.gov/vuln/detail/CVE-2019-13050
security-tracker.debian.org/tracker/CVE-2019-13050
tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-certificates/
ubuntu.com/security/notices/USN-5431-1
www.cve.org/CVERecord?id=CVE-2019-13050
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
83.8%