Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJmY2gtanZnNS1jcmY2
Improper Input Validation python-gnupg
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
Permalink: https://github.com/advisories/GHSA-2fch-jvg5-crf6JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJmY2gtanZnNS1jcmY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 5 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-2fch-jvg5-crf6, CVE-2019-6690
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-6690
- https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/
- https://github.com/advisories/GHSA-2fch-jvg5-crf6
- https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/X4VFRUG56542LTYK4444TPJBGR57MT25/
- https://pypi.org/project/python-gnupg/#history
- https://seclists.org/bugtraq/2019/Jan/41
- https://usn.ubuntu.com/3964-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html
- http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html
- https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html
- https://web.archive.org/web/20200227091727/http://www.securityfocus.com/bid/106756
Affected Packages
pypi:python-gnupg
Dependent packages: 72Dependent repositories: 2,116
Downloads: 8,110,330 last month
Affected Version Ranges: < 0.4.4
Fixed in: 0.4.4
All affected versions: 0.2.3, 0.2.4, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.4.1, 0.4.2, 0.4.3
All unaffected versions: 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.5.0, 0.5.1, 0.5.2