Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJmY2gtanZnNS1jcmY2

Improper Input Validation python-gnupg

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

Permalink: https://github.com/advisories/GHSA-2fch-jvg5-crf6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJmY2gtanZnNS1jcmY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: over 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.01419
EPSS Percentile: 0.86806

Identifiers: GHSA-2fch-jvg5-crf6, CVE-2019-6690
References: Blast Radius: 24.9

Affected Packages

pypi:python-gnupg
Dependent packages: 90
Dependent repositories: 2,116
Downloads: 10,500,002 last month
Affected Version Ranges: < 0.4.4
Fixed in: 0.4.4
All affected versions: 0.2.3, 0.2.4, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.4.1, 0.4.2, 0.4.3
All unaffected versions: 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.5.0, 0.5.1, 0.5.2, 0.5.3