PT-2014-4367 · Debian+8 · Python-Gnupg

Published

2014-10-25

Updated

2018-11-06

CVE-2014-1928

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

The shell quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2014-1928

DSA-2946-1

GHSA-2JC8-4R6G-282J

PYSEC-2014-91

Affected Products

Python-Gnupg

PT-2014-4367 · Debian+8 · Python-Gnupg

CVE-2014-1928

Weakness Enumeration

Related Identifiers

Affected Products

References · 19