CVE-2019-6690

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
pythonpython-gnupg
0.4.3
debiandebian_linux
8.0
debiandebian_linux
9.0
opensuseleap
15.0
susebackports
-
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
canonicalubuntu_linux
19.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-gnupg
bullseye
0.4.6-1
fixed
bookworm
0.4.9-1
fixed
sid
0.5.2-2
fixed
trixie
0.5.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-gnupg
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
eoan
ignored
disco
Fixed 0.4.3-1ubuntu1.19.04.1
released
cosmic
Fixed 0.4.1-1ubuntu1.18.10.1
released
bionic
Fixed 0.4.1-1ubuntu1.18.04.1
released
xenial
Fixed 0.3.8-2ubuntu0.1~esm1
released
trusty
Fixed 0.3.6-1ubuntu0.1~esm1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html
http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html
http://www.securityfocus.com/bid/106756
https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/
https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html
https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/
https://pypi.org/project/python-gnupg/#history
https://seclists.org/bugtraq/2019/Jan/41
https://usn.ubuntu.com/3964-1/
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html
http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html
http://www.securityfocus.com/bid/106756
https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/
https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html
https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/
https://pypi.org/project/python-gnupg/#history
https://seclists.org/bugtraq/2019/Jan/41
https://usn.ubuntu.com/3964-1/