CVE-2010-3618

Public Exploit

Description

PGP Desktop 10.0.x before 10.0.3 SP2 and 10.1.0 before 10.1.0 SP1 does not properly implement the "Decrypt/Verify File via Right-Click" functionality for multi-packet OpenPGP messages that represent multi-message input, which allows remote attackers to spoof signed data by concatenating an additional message to the end of a legitimately signed message, related to a "piggy-back" or "unsigned data injection" issue.

References

Link	Tags
http://www.securitytracker.com/id?1024760	vdb entry
http://secunia.com/advisories/42307	third party advisory
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101118_00
http://www.cs.ru.nl/E.Verheul/papers/Govcert/Pretty%20Good%20Piggybagging%20v1.0.pdf	exploit
http://secunia.com/advisories/42293	third party advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/63366	vdb entry
http://www.kb.cert.org/vuls/id/300785	third party advisory us government resource
https://pgp.custhelp.com/app/answers/detail/a_id/2290	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2010-3618?: CVE-2010-3618 has been scored as a medium severity vulnerability.
How to fix CVE-2010-3618?: To fix CVE-2010-3618, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2010-3618 being actively exploited in the wild?: It is possible that CVE-2010-3618 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-310 – Cryptographic Issues

References

Frequently Asked Questions