CVE Catalog

CVE-2019-14855

Low
Published: Translated: NVD NIST

Summary

A flaw in GnuPG before version 2.2.18 allows certificate signature forgery using SHA-1 collision attacks. An attacker can create forged certificate signatures, compromising authentication integrity.

Risk Assessment

The organization risks accepting forged certificates, enabling impersonation of trusted entities and compromising communication security.

Recommendation

Immediately update GnuPG to version 2.2.18 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS