{
  "threat_severity" : "Moderate",
  "public_date" : "2022-06-30T00:00:00Z",
  "bugzilla" : {
    "description" : "gpg: Signature spoofing via status line injection",
    "id" : "2102868",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2102868"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-347",
  "details" : [ "GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.", "A vulnerability was found in GnuPG. This issue occurs due to an escape detection loop at the write_status_text_and_buffer() function in g10/cpr.c. This flaw allows a malicious actor to bypass access control." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-09-13T00:00:00Z",
    "advisory" : "RHSA-2022:6463",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "gnupg2-0:2.2.20-3.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-09-20T00:00:00Z",
    "advisory" : "RHSA-2022:6602",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "gnupg2-0:2.3.3-2.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-09-20T00:00:00Z",
    "advisory" : "RHSA-2022:6602",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "gnupg2-0:2.3.3-2.el9_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "gnupg2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "gpgme",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "gnupg2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "gpgme",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "gpgme",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "gpgme",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-34903\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-34903" ],
  "name" : "CVE-2022-34903",
  "csaw" : false
}