PT-2019-1354 · Gnupg+2 · Python-Gnupg+2

Alexander Kjäll

Publicado

2018-06-09

Atualizado

2024-07-12

CVE-2019-6690

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions python-gnupg version 0.4.3

Description The issue is related to improper input validation, allowing context-dependent attackers to trick gnupg into decrypting other ciphertext than intended. This can be achieved if the passphrase to gnupg is controlled by the adversary and the ciphertext is trusted. The vulnerability exists due to insufficient input validation in the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods of the python-gnupg package, which may allow an attacker to execute arbitrary code.

Recommendations For python-gnupg version 0.4.3, consider restricting the use of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods until a patch is available. Additionally, ensure that the passphrase to gnupg is securely managed and that only trusted ciphertext is processed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

ALT-PU-2018-1881

ALT-PU-2018-1884

ALT-PU-2018-2427

BDU:2019-00692

CESA-2018_2180

CESA-2018_2181

CVE-2019-6690

DLA-1675-1

DLA-2862-1

GHSA-2FCH-JVG5-CRF6

GHSA-QH62-CH95-63WH

MGASA-2019-0105

OPENSUSE-SU-2019:0143-1

OPENSUSE-SU-2019:0239-1

OPENSUSE-SU-2019_0143-1

OPENSUSE-SU-2024:11261-1

OPENSUSE-SU-2024:14158-1

PYSEC-2019-115

PYSEC-2019-45

RHSA-2018_2180

RHSA-2018_2181

USN-3964-1

USN-4839-1

Produtos afetados

Suse

Ubuntu

Python-Gnupg

PT-2019-1354 · Gnupg+2 · Python-Gnupg+2

CVE-2019-6690

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 57