vulnerability
Arch Linux: Insufficient validation (CVE-2020-10759)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:L/AC:M/Au:N/C:P/I:P/A:N) | Sep 15, 2020 | Jul 11, 2025 | Nov 27, 2025 |
Severity
3
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:N)
Published
Sep 15, 2020
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
A PGP signature verification bypass has been found in fwupd prior to 1.4.0, and in libjcat <= 0.1.2. The issue is that if a detached signature is actually a PGP message, gpgme_op_verify() returns the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result() builds an empty list.
Solution
arch-linux-upgrade-latest
References
- CVE-2020-10759
- https://attackerkb.com/topics/CVE-2020-10759
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=1844316
- URL-https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
- URL-https://security.archlinux.org/ASA-202007-6
- CWE-347
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.