VDB

GCVE-110-CERTCC-2000-747124

GCVE-110-CERTCC-2000-747124
Advisory Published
Vulnetix · Advisory published August 24, 2000
Additional Decryption Keys (ADKs) is a feature introduced into PGP (Pretty Good Privacy) versions 5.5.x through 6.5.3 that allows authorized extra decryption keys to be added to a user's public key certificate. However, an implementation flaw in PGP allows unsigned ADKs which have been maliciously added to a certificate to be used for encryption. Data encrypted with PGP 5.5.x through 6.5.3 using a modified certificate will generate ciphertext encrypted with the ADK subject to the conditions list in the impact section. The attacker who modified the certificate can obtain the plaintext from this ciphertext. PGP does not correctly detect this form of certificate modification because it fails to check if the ADK is stored in the signed (hashed) portion of the public certificate. As a result, normal methods for evaluating the legitimacy of a public certificate (fingerprint verification) are not sufficient for users of vulnerable versions of PGP.

Risk Scores

certcc-cam
certcc-cam
impact8population17exploitation0widely_known20score_current3.978ease_of_exploitation4

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›