PublicDateAtUSN: 2018-12-20
Candidate: CVE-2018-1000858
PublicDate: 2018-12-20 17:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000858
 https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html
 https://sektioneins.de/en/blog/18-11-23-gnupg-wkd.html
 https://ubuntu.com/security/notices/USN-3853-1
Description:
 GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF)
 vulnerability in dirmngr that can result in Attacker controlled CSRF,
 Information Disclosure, DoS. This attack appear to be exploitable via
 Victim must perform a WKD request, e.g. enter an email address in the
 composer window of Thunderbird/Enigmail. This vulnerability appears to have
 been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.
Ubuntu-Description:
Notes:
 mdeslaur> introduced in 2.1.12
Bugs:
Priority: medium
Discovered-by: Ben Fuhrmannek
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_gnupg2:
 upstream: https://github.com/gpg/gnupg/commit/4a4bb874f63741026bd26264c43bb32b1099f060 (2.2.12)
upstream_gnupg2: released (2.2.12-1)
precise/esm_gnupg2: DNE
trusty_gnupg2: not-affected (code not present)
trusty/esm_gnupg2: DNE (trusty was not-affected [code not present])
xenial_gnupg2: not-affected (code not present)
esm-infra/xenial_gnupg2: not-affected (code not present)
bionic_gnupg2: released (2.2.4-1ubuntu1.2)
cosmic_gnupg2: released (2.2.8-3ubuntu1.1)
devel_gnupg2: released (2.2.12-1ubuntu1)