CVE-2019-6690

HIGH LAB

Python-gnupg < 0.4.4 - Improper Input Validation

Title source: rule

Description

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

Exploits (2)

nomisec WORKING POC 6 stars

by brianwrf · poc

https://github.com/brianwrf/CVE-2019-6690

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by stigtsp · poc

https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability

View Code ZIP pw:eip

References (13)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html

[Broken Link] http://www.securityfocus.com/bid/106756

[Third Party Advisory] https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html

[Product, Third Party Advisory] https://pypi.org/project/python-gnupg/#history

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Jan/41

[Third Party Advisory] https://usn.ubuntu.com/3964-1/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/

Scores

CVSS v3 7.5

EPSS 0.2143

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull mintproject/base-ubuntu18

https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability

https://github.com/brianwrf/CVE-2019-6690

View in Library

Details

CWE

CWE-20

Status published

Products (9)

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 18.10

canonical/ubuntu_linux 19.04

debian/debian_linux 8.0

debian/debian_linux 9.0

opensuse/leap 15.0

pypi/python-gnupg 0 - 0.4.4PyPI

python/python-gnupg 0.4.3

suse/backports

Published Mar 21, 2019

Tracked Since Feb 18, 2026