CVE-2019-6690

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions python-gnupg version 0.4.3

Description The issue is related to improper input validation, allowing context-dependent attackers to trick gnupg into decrypting other ciphertext than intended. This can be achieved if the passphrase to gnupg is controlled by the adversary and the ciphertext is trusted. The vulnerability exists due to insufficient input validation in the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods of the python-gnupg package, which may allow an attacker to execute arbitrary code.

Recommendations For python-gnupg version 0.4.3, consider restricting the use of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods until a patch is available. Additionally, ensure that the passphrase to gnupg is securely managed and that only trusted ciphertext is processed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2018-1881

ALT-PU-2018-1884

ALT-PU-2018-2427

BDU:2019-00692

CESA-2018_2180

CESA-2018_2181

CVE-2019-6690

DLA-1675-1

DLA-2862-1

GHSA-2FCH-JVG5-CRF6

GHSA-QH62-CH95-63WH

MGASA-2019-0105

OPENSUSE-SU-2019:0143-1

OPENSUSE-SU-2019:0239-1

OPENSUSE-SU-2019_0143-1

OPENSUSE-SU-2024:11261-1

OPENSUSE-SU-2024:14158-1

PYSEC-2019-115

PYSEC-2019-45

RHSA-2018_2180

RHSA-2018_2181

USN-3964-1

USN-4839-1

Affected Products

Suse

Ubuntu

Python-Gnupg

CVE-2019-6690

Weakness Enumeration

Related Identifiers

Affected Products

References · 57