Miggo Logo
Miggo Vulnerability Database
CVE-2022-3219

CVE-2022-3219: GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with...

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3219
GHSA ID
GHSA-pf7g-97vv-qmrr
EPSS Score
0.01335%
CWE
CWE-787
Published
2/23/2023
Updated
3/12/2025
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in how GnuPG handles compressed OpenPGP packets, particularly in contexts like public key import or detached signature verification. An attacker could craft a small input (e.g., a public key with thousands of signatures) that, when compressed, becomes very small but requires significant resources to decompress and process, leading to a denial of service. The provided patch addresses this by disallowing compressed packets in certain contexts (key import, detached signatures) and by adding stricter checks on packet types and structures within those contexts. The identified functions are those directly involved in parsing and processing these packets, and the patch modifies them to implement these new restrictions. The evidence is taken directly from the diff provided in the marc.info mailing list post, as direct commit access failed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*nuP* **n ** m*** to spin on * r*l*tiv*ly sm*ll input *y (*or *x*mpl*) *r**tin* * pu*li* k*y wit* t*ous*n*s o* si*n*tur*s *tt*****, *ompr*ss** *own to just * **w K*.

Reasoning

T** vuln*r**ility li*s in *ow *nuP* **n*l*s *ompr*ss** Op*nP*P p**k*ts, p*rti*ul*rly in *ont*xts lik* pu*li* k*y import or **t***** si*n*tur* v*ri*i**tion. *n *tt**k*r *oul* *r**t * sm*ll input (*.*., * pu*li* k*y wit* t*ous*n*s o* si*n*tur*s) t**t,