Vulnerability Description
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python-Gnupg | 0.4.3 |
| Debian | Debian Linux | 8.0 |
| Opensuse | Leap | 15.0 |
| Suse | Backports | - |
| Suse | Linux Enterprise | 15.0 |
| Canonical | Ubuntu Linux | 18.04 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.htmlMailing ListThird Party Advisory
- http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-VaThird Party AdvisoryVDB Entry
- http://www.securityfocus.com/bid/106756Broken Link
- https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/02/msg00021.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/12/msg00027.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://pypi.org/project/python-gnupg/#historyProductThird Party Advisory
- https://seclists.org/bugtraq/2019/Jan/41Mailing ListThird Party Advisory
- https://usn.ubuntu.com/3964-1/Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.htmlMailing ListThird Party Advisory
FAQ
What is CVE-2019-6690?
CVE-2019-6690 is a vulnerability with a CVSS score of 7.5 (HIGH). python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and t...
How severe is CVE-2019-6690?
CVE-2019-6690 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-6690?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python-Gnupg, Debian Debian Linux, Opensuse Leap, Suse Backports, Suse Linux Enterprise.