CVE-2019-6690

EUVD-2019-0114
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
Affected Products (NVD)
VendorProductVersion
pythonpython-gnupg
0.4.3
debiandebian_linux
8.0
debiandebian_linux
9.0
opensuseleap
15.0
susebackports
-
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
canonicalubuntu_linux
19.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-gnupg
bookworm
0.4.9-1
fixed
bullseye
0.4.6-1
fixed
sid
0.5.2-2
fixed
trixie
0.5.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-gnupg
bionic
Fixed 0.4.1-1ubuntu1.18.04.1
released
cosmic
Fixed 0.4.1-1ubuntu1.18.10.1
released
disco
Fixed 0.4.3-1ubuntu1.19.04.1
released
eoan
ignored
focal
needed
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
Fixed 0.3.6-1ubuntu0.1~esm1
released
xenial
Fixed 0.3.8-2ubuntu0.1~esm1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html
http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html
http://www.securityfocus.com/bid/106756
https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/
https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html
https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/
https://pypi.org/project/python-gnupg/#history
https://seclists.org/bugtraq/2019/Jan/41
https://usn.ubuntu.com/3964-1/
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html
http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html
http://www.securityfocus.com/bid/106756
https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/
https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html
https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/
https://pypi.org/project/python-gnupg/#history
https://seclists.org/bugtraq/2019/Jan/41
https://usn.ubuntu.com/3964-1/