Published: 21/03/2019 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

python-gnupg 0.4.3 allows context-dependent malicious users to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

Vulnerable Product	Search on Vulmon	Subscribe to Product
python python-gnupg 0.4.3
debian debian linux 8.0
debian debian linux 9.0
opensuse leap 15.0
suse backports -
canonical ubuntu linux 18.04
canonical ubuntu linux 18.10
canonical ubuntu linux 19.04

Several security issues were fixed in python-gnupg ...

CVE-2019-6690: Improper Input Validation in python-gnupg 043 We discovered a way to inject data trough the passphrase property of the gnupgGPGencrypt() and gnupgGPGdecrypt() methods when symmetric encryption is used The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the fi

It is a simple PoC of Improper Input Validation in python-gnupg 0.4.3 (CVE-2019-6690).

Summary It is a simple PoC of Improper Input Validation in python-gnupg 043 (CVE-2019-6690) Vulnerable python python-gnupg 043 python python-gnupg 036 python python-gnupg 035 python python-gnupg 034 Mitigation Users should upgrade to 044 Test Environment Docker Image docker pull avfisherdocker/python-gnupg043:CVE-2019-6690 docker run -d -p 5000:5000 avfisherdo

CVE-2019-6690: Improper Input Validation in python-gnupg 043 We discovered a way to inject data trough the passphrase property of the gnupgGPGencrypt() and gnupgGPGdecrypt() methods when symmetric encryption is used The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the fi

CWE-20 https://seclists.org/bugtraq/2019/Jan/41 https://pypi.org/project/python-gnupg/#history https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html http://www.securityfocus.com/bid/106756 http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/https://usn.ubuntu.com/3964-1/https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/https://usn.ubuntu.com/3964-1/https://nvd.nist.gov

CVE-2019-6690

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect