{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13470", "assignerOrgId": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "state": "PUBLISHED", "assignerShortName": "Ribose", "dateReserved": "2025-11-20T08:36:59.270Z", "datePublished": "2025-11-21T17:05:15.683Z", "dateUpdated": "2025-11-21T17:35:33.645Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "RNP", "repo": "https://github.com/rnpgp/rnp", "vendor": "Ribose", "versions": [{"status": "affected", "version": "0.18.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Johannes Roth (MTG AG)"}], "datePublic": "2025-11-21T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><p>In RNP version 0.18.0 a refactoring regression causes the symmetric \nsession key used for Public-Key Encrypted Session Key (PKESK) packets to\n be left uninitialized except for zeroing, resulting in it always being \nan all-zero byte array.</p><p>Any data encrypted using public-key encryption \nin this release can be decrypted trivially by supplying an all-zero \nsession key, fully compromising confidentiality.<br><br>The vulnerability affects only public key encryption (PKESK packets).&nbsp; Passphrase-based encryption (SKESK packets) is not affected.<br><br>Root cause: Vulnerable session key buffer used in PKESK packet generation.<br></p>\n<p>The defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization \nlogic inside `encrypted_build_skesk()` only randomized the key for the \nSKESK path and omitted it for the PKESK path.</p><br></div>"}], "value": "In RNP version 0.18.0 a refactoring regression causes the symmetric \nsession key used for Public-Key Encrypted Session Key (PKESK) packets to\n be left uninitialized except for zeroing, resulting in it always being \nan all-zero byte array.\n\nAny data encrypted using public-key encryption \nin this release can be decrypted trivially by supplying an all-zero \nsession key, fully compromising confidentiality.\n\nThe vulnerability affects only public key encryption (PKESK packets).\u00a0 Passphrase-based encryption (SKESK packets) is not affected.\n\nRoot cause: Vulnerable session key buffer used in PKESK packet generation.\n\n\n\nThe defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization \nlogic inside `encrypted_build_skesk()` only randomized the key for the \nSKESK path and omitted it for the PKESK path."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<ul><li>Decryption succeeds for affected ciphertext using an all-zero session key.</li><li>Attack requires only possession of the ciphertext.</li><li>Private keys are not exposed.&nbsp; Vulnerability is limited to session key generation path.</li></ul>"}], "value": "* Decryption succeeds for affected ciphertext using an all-zero session key.\n * Attack requires only possession of the ciphertext.\n * Private keys are not exposed.\u00a0 Vulnerability is limited to session key generation path."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Confidentiality issue for PKESK-encrypted data"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.7, "baseSeverity": "HIGH", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:Y/RE:H/U:Red", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "HIGH"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "description": "CWE-330 Use of Insufficiently Random Values", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "shortName": "Ribose", "dateUpdated": "2025-11-21T17:17:44.765Z"}, "references": [{"name": "Introducing commit", "tags": ["related"], "url": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a"}, {"name": "Ubuntu package", "tags": ["x_downstream-package"], "url": "https://launchpad.net/ubuntu/+source/rnp"}, {"name": "Arch Linux AUR package", "tags": ["x_downstream-package"], "url": "https://aur.archlinux.org/packages/rnp"}, {"name": "Bugzilla report (may become public)", "tags": ["x_downstream_package"], "url": "https://packages.gentoo.org/packages/dev-util/librnp"}, {"tags": ["issue-tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2415863"}, {"tags": ["third-party-advisory"], "url": "https://access.redhat.com/security/cve/cve-2025-13402"}, {"tags": ["vendor-advisory"], "url": "https://open.ribose.com/advisories/ra-2025-11-20/"}, {"tags": ["release-notes"], "url": "https://github.com/rnpgp/rnp/releases/tag/v0.18.1"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><b>For standalone RNP users:</b></div><div><br>Upgrade to RNP 0.18.1 when available.<br><br><b>For distributions that have packaged 0.18.0:</b></div><div><br>Please update to 0.18.1 when released, or consider providing 0.17.1 as an<br>interim option.<br><br><b>For Thunderbird packages using system RNP:</b></div><div><br>If your Thunderbird package is built with system RNP support and RNP 0.18.0 is installed, update RNP to 0.18.1 or 0.17.1. Consider whether Thunderbird should continue using system RNP or switch to bundled RNP.<br><br><b>For all other users:</b></div><div><br>Users who encrypted sensitive data using RNP 0.18.0 (standalone or via Thunderbird with system RNP 0.18.0) should re-encrypt that data with RNP 0.18.1 or 0.17.1 based on their security requirements.<br></div>"}], "value": "For standalone RNP users:\n\n\nUpgrade to RNP 0.18.1 when available.\n\nFor distributions that have packaged 0.18.0:\n\n\nPlease update to 0.18.1 when released, or consider providing 0.17.1 as an\ninterim option.\n\nFor Thunderbird packages using system RNP:\n\n\nIf your Thunderbird package is built with system RNP support and RNP 0.18.0 is installed, update RNP to 0.18.1 or 0.17.1. Consider whether Thunderbird should continue using system RNP or switch to bundled RNP.\n\nFor all other users:\n\n\nUsers who encrypted sensitive data using RNP 0.18.0 (standalone or via Thunderbird with system RNP 0.18.0) should re-encrypt that data with RNP 0.18.1 or 0.17.1 based on their security requirements."}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2025-06-19T00:00:00.000Z", "value": "RNP 0.18.0 released (vulnerability introduced)."}, {"lang": "en", "time": "2025-11-07T00:00:00.000Z", "value": "Vulnerability discovered and reported by Johannes Roth (MTG AG)."}, {"lang": "en", "time": "2025-11-19T00:00:00.000Z", "value": "CVE-2025-13402 assigned by Red Hat."}, {"lang": "en", "time": "2025-11-20T00:00:00.000Z", "value": "CVE-2025-13470 assigned by Ribose/MITRE."}, {"lang": "en", "time": "2025-11-20T00:00:00.000Z", "value": "Fix developed and tested."}, {"lang": "en", "time": "2025-11-21T00:00:00.000Z", "value": "Planned release date for RNP 0.18.1."}, {"lang": "en", "time": "2025-11-21T00:00:00.000Z", "value": "Public disclosure (same day as release)."}], "title": "RNP 0.18.0 Vulnerable PKESK session keys", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "No workaround.&nbsp; All PKESK-encrypted ciphertext produced with 0.18.0 is compromised.<br><br>"}], "value": "No workaround.\u00a0 All PKESK-encrypted ciphertext produced with 0.18.0 is compromised."}], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T17:35:25.938705Z", "id": "CVE-2025-13470", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T17:35:33.645Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13470", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T17:35:25.938705Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T17:35:29.339Z"}}], "cna": {"title": "RNP 0.18.0 Vulnerable PKESK session keys", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Johannes Roth (MTG AG)"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Confidentiality issue for PKESK-encrypted data"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:Y/RE:H/U:Red", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/rnpgp/rnp", "vendor": "Ribose", "product": "RNP", "versions": [{"status": "affected", "version": "0.18.0"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "* Decryption succeeds for affected ciphertext using an all-zero session key.\n * Attack requires only possession of the ciphertext.\n * Private keys are not exposed.\u00a0 Vulnerability is limited to session key generation path.", "supportingMedia": [{"type": "text/html", "value": "<ul><li>Decryption succeeds for affected ciphertext using an all-zero session key.</li><li>Attack requires only possession of the ciphertext.</li><li>Private keys are not exposed.&nbsp; Vulnerability is limited to session key generation path.</li></ul>", "base64": false}]}], "timeline": [{"lang": "en", "time": "2025-06-19T00:00:00.000Z", "value": "RNP 0.18.0 released (vulnerability introduced)."}, {"lang": "en", "time": "2025-11-07T00:00:00.000Z", "value": "Vulnerability discovered and reported by Johannes Roth (MTG AG)."}, {"lang": "en", "time": "2025-11-19T00:00:00.000Z", "value": "CVE-2025-13402 assigned by Red Hat."}, {"lang": "en", "time": "2025-11-20T00:00:00.000Z", "value": "CVE-2025-13470 assigned by Ribose/MITRE."}, {"lang": "en", "time": "2025-11-20T00:00:00.000Z", "value": "Fix developed and tested."}, {"lang": "en", "time": "2025-11-21T00:00:00.000Z", "value": "Planned release date for RNP 0.18.1."}, {"lang": "en", "time": "2025-11-21T00:00:00.000Z", "value": "Public disclosure (same day as release)."}], "solutions": [{"lang": "en", "value": "For standalone RNP users:\n\n\nUpgrade to RNP 0.18.1 when available.\n\nFor distributions that have packaged 0.18.0:\n\n\nPlease update to 0.18.1 when released, or consider providing 0.17.1 as an\ninterim option.\n\nFor Thunderbird packages using system RNP:\n\n\nIf your Thunderbird package is built with system RNP support and RNP 0.18.0 is installed, update RNP to 0.18.1 or 0.17.1. Consider whether Thunderbird should continue using system RNP or switch to bundled RNP.\n\nFor all other users:\n\n\nUsers who encrypted sensitive data using RNP 0.18.0 (standalone or via Thunderbird with system RNP 0.18.0) should re-encrypt that data with RNP 0.18.1 or 0.17.1 based on their security requirements.", "supportingMedia": [{"type": "text/html", "value": "<div><b>For standalone RNP users:</b></div><div><br>Upgrade to RNP 0.18.1 when available.<br><br><b>For distributions that have packaged 0.18.0:</b></div><div><br>Please update to 0.18.1 when released, or consider providing 0.17.1 as an<br>interim option.<br><br><b>For Thunderbird packages using system RNP:</b></div><div><br>If your Thunderbird package is built with system RNP support and RNP 0.18.0 is installed, update RNP to 0.18.1 or 0.17.1. Consider whether Thunderbird should continue using system RNP or switch to bundled RNP.<br><br><b>For all other users:</b></div><div><br>Users who encrypted sensitive data using RNP 0.18.0 (standalone or via Thunderbird with system RNP 0.18.0) should re-encrypt that data with RNP 0.18.1 or 0.17.1 based on their security requirements.<br></div>", "base64": false}]}], "datePublic": "2025-11-21T00:00:00.000Z", "references": [{"url": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a", "name": "Introducing commit", "tags": ["related"]}, {"url": "https://launchpad.net/ubuntu/+source/rnp", "name": "Ubuntu package", "tags": ["x_downstream-package"]}, {"url": "https://aur.archlinux.org/packages/rnp", "name": "Arch Linux AUR package", "tags": ["x_downstream-package"]}, {"url": "https://packages.gentoo.org/packages/dev-util/librnp", "name": "Bugzilla report (may become public)", "tags": ["x_downstream_package"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2415863", "tags": ["issue-tracking"]}, {"url": "https://access.redhat.com/security/cve/cve-2025-13402", "tags": ["third-party-advisory"]}, {"url": "https://open.ribose.com/advisories/ra-2025-11-20/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/rnpgp/rnp/releases/tag/v0.18.1", "tags": ["release-notes"]}], "workarounds": [{"lang": "en", "value": "No workaround.\u00a0 All PKESK-encrypted ciphertext produced with 0.18.0 is compromised.", "supportingMedia": [{"type": "text/html", "value": "No workaround.&nbsp; All PKESK-encrypted ciphertext produced with 0.18.0 is compromised.<br><br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "In RNP version 0.18.0 a refactoring regression causes the symmetric \nsession key used for Public-Key Encrypted Session Key (PKESK) packets to\n be left uninitialized except for zeroing, resulting in it always being \nan all-zero byte array.\n\nAny data encrypted using public-key encryption \nin this release can be decrypted trivially by supplying an all-zero \nsession key, fully compromising confidentiality.\n\nThe vulnerability affects only public key encryption (PKESK packets).\u00a0 Passphrase-based encryption (SKESK packets) is not affected.\n\nRoot cause: Vulnerable session key buffer used in PKESK packet generation.\n\n\n\nThe defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization \nlogic inside `encrypted_build_skesk()` only randomized the key for the \nSKESK path and omitted it for the PKESK path.", "supportingMedia": [{"type": "text/html", "value": "<div><p>In RNP version 0.18.0 a refactoring regression causes the symmetric \nsession key used for Public-Key Encrypted Session Key (PKESK) packets to\n be left uninitialized except for zeroing, resulting in it always being \nan all-zero byte array.</p><p>Any data encrypted using public-key encryption \nin this release can be decrypted trivially by supplying an all-zero \nsession key, fully compromising confidentiality.<br><br>The vulnerability affects only public key encryption (PKESK packets).&nbsp; Passphrase-based encryption (SKESK packets) is not affected.<br><br>Root cause: Vulnerable session key buffer used in PKESK packet generation.<br></p>\n<p>The defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization \nlogic inside `encrypted_build_skesk()` only randomized the key for the \nSKESK path and omitted it for the PKESK path.</p><br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-330", "description": "CWE-330 Use of Insufficiently Random Values"}]}], "providerMetadata": {"orgId": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "shortName": "Ribose", "dateUpdated": "2025-11-21T17:17:44.765Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13470", "state": "PUBLISHED", "dateUpdated": "2025-11-21T17:35:33.645Z", "dateReserved": "2025-11-20T08:36:59.270Z", "assignerOrgId": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "datePublished": "2025-11-21T17:05:15.683Z", "assignerShortName": "Ribose"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In RNP version 0.18.0 a refactoring regression causes the symmetric \nsession key used for Public-Key Encrypted Session Key (PKESK) packets to\n be left uninitialized except for zeroing, resulting in it always being \nan all-zero byte array.\n\nAny data encrypted using public-key encryption \nin this release can be decrypted trivially by supplying an all-zero \nsession key, fully compromising confidentiality.\n\nThe vulnerability affects only public key encryption (PKESK packets).\u00a0 Passphrase-based encryption (SKESK packets) is not affected.\n\nRoot cause: Vulnerable session key buffer used in PKESK packet generation.\n\n\n\nThe defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization \nlogic inside `encrypted_build_skesk()` only randomized the key for the \nSKESK path and omitted it for the PKESK path."}], "id": "CVE-2025-13470", "lastModified": "2025-11-21T18:15:49.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:H/U:Red", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "HIGH"}, "source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "type": "Secondary"}]}, "published": "2025-11-21T17:15:50.473", "references": [{"source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "url": "https://access.redhat.com/security/cve/cve-2025-13402"}, {"source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "url": "https://aur.archlinux.org/packages/rnp"}, {"source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2415863"}, {"source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "url": "https://github.com/rnpgp/rnp/commit/7bd9a8dc356aae756b40755be76d36205b6b161a"}, {"source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "url": "https://github.com/rnpgp/rnp/releases/tag/v0.18.1"}, {"source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "url": "https://launchpad.net/ubuntu/+source/rnp"}, {"source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "url": "https://open.ribose.com/advisories/ra-2025-11-20/"}, {"source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "url": "https://packages.gentoo.org/packages/dev-util/librnp"}], "sourceIdentifier": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "6504adb2-f5e9-4c9b-9eda-5e19c93bd9b3", "type": "Secondary"}]}

{}