CVE-2019-6690

HIGH

Python-gnupg < 0.4.4 - Improper Input Validation

Title source: rule

Description

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

Exploits (2)

nomisec WORKING POC 6 stars

by brianwrf · poc

https://github.com/brianwrf/CVE-2019-6690

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by stigtsp · poc

https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability

View Code ZIP pw:eip

References (13)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html

[Broken Link] http://www.securityfocus.com/bid/106756

[Third Party Advisory] https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html

[Product, Third Party Advisory] https://pypi.org/project/python-gnupg/#history

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Jan/41

[Third Party Advisory] https://usn.ubuntu.com/3964-1/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/

Scores

CVSS v3 7.5

EPSS 0.2143

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-20

Status published

Affected Products (9)

python/python-gnupg

debian/debian_linux

debian/debian_linux

opensuse/leap

suse/backports

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

pypi/python-gnupg < 0.4.4PyPI

Timeline

Published Mar 21, 2019

Tracked Since Feb 18, 2026