VDB
CVE-2003-0255
CVE-2003-0255
PUBLISHED
CVSS 10 CRITICAL
The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path.
EPSS 4.21% · 89.0th percentile
Risk Scores
CVSS 2.0
10
EPSS Score
4.21%
89.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| gnu | privacy_guard | 0 |
Timeline
- May 7, 2003 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 3, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Sep 8, 2023 EPSS Score
- Oct 30, 2023 EPSS Score
References
- TLSA200334 vendor-advisory
- RHSA-2003:175 vendor-advisory
- 4947 vdb
- oval:org.mitre.oval:def:135 vdb
- 20030522 [slackware-security] GnuPG key validation fix (SSA:2003-141-04) mailing-list
- 7497 vdb
- 20030516 [OpenPKG-SA-2003.029] OpenPKG Security Advisory (gnupg) mailing-list
- http://www.linuxsecurity.com/advisories/gentoo_advisory-3266.html url
- MDKSA-2003:061 vendor-advisory
- gnupg-invalid-key-acceptance(11930) vdb
- CLA-2003:694 vendor-advisory
- RHSA-2003:176 vendor-advisory
- 20030515-016 vendor-advisory
- ESA-20030515-016 vendor-advisory
- VU#397604 third-party-advisory
- 20030504 Key validity bug in GnuPG 1.2.1 and earlier mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2003-0255 advisory