VDB
PYSEC-2019-115
PYSEC-2019-115
PUBLISHED
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | python-gnupg | 0, 0.2.3, 0.2.4 |
Timeline
- Mar 21, 2019 CVE Published
- Nov 8, 2023 CVE Updated
References
- https://seclists.org/bugtraq/2019/Jan/41 url
- https://pypi.org/project/python-gnupg/#history package
- http://www.securityfocus.com/bid/106756 url
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html url
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html url
- https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/ article
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/ url
- https://github.com/advisories/GHSA-qh62-ch95-63wh advisory
- https://github.com/advisories/GHSA-2fch-jvg5-crf6 advisory
- https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html advisory
- http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html exploit
- https://usn.ubuntu.com/3964-1/ advisory