{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-01-19T00:00:00", "descriptions": [{"lang": "en", "value": "python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a \"CWE-20: Improper Input Validation\" issue affecting the affect functionality component."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-12-28T22:06:11", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "106756", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106756"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/python-gnupg/#history"}, {"name": "SU-2019:0143-1", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html"}, {"name": "SUSE-SU-2019:0239-1", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html"}, {"name": "[SECURITY] [DLA 1675-1] 20190214 python-gnupg security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html"}, {"name": "20190125 CVE-2019-6690: Improper Input Validation in python-gnupg", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Jan/41"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/"}, {"name": "USN-3964-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3964-1/"}, {"name": "FEDORA-2019-06f5bbdaf5", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/"}, {"name": "FEDORA-2020-17fb3273b2", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/"}, {"name": "FEDORA-2020-e67d007a67", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/"}, {"name": "[debian-lts-announce] 20211228 [SECURITY] [DLA 2862-1] python-gnupg security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-6690", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a \"CWE-20: Improper Input Validation\" issue affecting the affect functionality component."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "106756", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106756"}, {"name": "http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html"}, {"name": "https://pypi.org/project/python-gnupg/#history", "refsource": "MISC", "url": "https://pypi.org/project/python-gnupg/#history"}, {"name": "SU-2019:0143-1", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html"}, {"name": "SUSE-SU-2019:0239-1", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html"}, {"name": "[SECURITY] [DLA 1675-1] 20190214 python-gnupg security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html"}, {"name": "20190125 CVE-2019-6690: Improper Input Validation in python-gnupg", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Jan/41"}, {"name": "https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/", "refsource": "MISC", "url": "https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/"}, {"name": "USN-3964-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3964-1/"}, {"name": "FEDORA-2019-06f5bbdaf5", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/"}, {"name": "FEDORA-2020-17fb3273b2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/"}, {"name": "FEDORA-2020-e67d007a67", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/"}, {"name": "[debian-lts-announce] 20211228 [SECURITY] [DLA 2862-1] python-gnupg security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T20:31:04.140Z"}, "title": "CVE Program Container", "references": [{"name": "106756", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/106756"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pypi.org/project/python-gnupg/#history"}, {"name": "SU-2019:0143-1", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html"}, {"name": "SUSE-SU-2019:0239-1", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html"}, {"name": "[SECURITY] [DLA 1675-1] 20190214 python-gnupg security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html"}, {"name": "20190125 CVE-2019-6690: Improper Input Validation in python-gnupg", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Jan/41"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/"}, {"name": "USN-3964-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3964-1/"}, {"name": "FEDORA-2019-06f5bbdaf5", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/"}, {"name": "FEDORA-2020-17fb3273b2", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/"}, {"name": "FEDORA-2020-e67d007a67", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/"}, {"name": "[debian-lts-announce] 20211228 [SECURITY] [DLA 2862-1] python-gnupg security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-6690", "datePublished": "2019-03-17T17:02:07", "dateReserved": "2019-01-23T00:00:00", "dateUpdated": "2024-08-04T20:31:04.140Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python-gnupg:0.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "9F9B1AA4-E3D9-4348-8CB2-139AFA1D4839", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:backports:-:*:*:*:*:*:*:*", "matchCriteriaId": "D4638CB8-0117-4D6B-96C9-2E6A33E6CDD6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "1607628F-77A7-4C1F-98DF-0DC50AE8627D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a \"CWE-20: Improper Input Validation\" issue affecting the affect functionality component."}, {"lang": "es", "value": "python-gnupg 0.4.3 permite que los atacantes dependientes del contexto enga\u00f1en a gnupg para descifrar texto cifrado diferente al planeado. Para realizar el ataque, la frase de contrase\u00f1a para gnupg debe estar controlada por el adversario y el texto cifrado deber\u00eda ser fiable. Relacionado con un problema CWE-20: validaci\u00f3n de entradas incorrecta que afecta al componente de la funcionalidad afectada."}], "id": "CVE-2019-6690", "lastModified": "2024-11-21T04:46:57.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-03-21T16:01:09.077", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.securityfocus.com/bid/106756"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://pypi.org/project/python-gnupg/#history"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Jan/41"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3964-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.securityfocus.com/bid/106756"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WMV6XNPPL3VB3RQRFFOBCJ3AGWC4K47/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6KYZMN2PWXY4ENZVJUVTGFBVYEVY7II/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X4VFRUG56542LTYK4444TPJBGR57MT25/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://pypi.org/project/python-gnupg/#history"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Jan/41"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3964-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python-gnupg: improper input validation in gnupg.GPG.encrypt() and gnupg.GPG.decrypt()", "id": "1670364", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1670364"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-20", "details": ["python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a \"CWE-20: Improper Input Validation\" issue affecting the affect functionality component."], "mitigation": {"lang": "en:us", "value": "Filter out newlines from passphrases before passing them to python-gnupg."}, "name": "CVE-2019-6690", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-gnupg", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "impact": "low", "package_name": "python-gnupg", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2019-01-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-6690\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-6690"], "statement": "The issue affects the versions of python-gnupg shipped with Red Hat Update Infrastructure 3, however the vulnerable functions are never used by the product.\nThe issue affects the versions of python-gnupg shipped with Red Hat Satellite 6, however the vulnerable functions are never used by the product.", "threat_severity": "Moderate", "upstream_fix": "python-gnupg 0.4.4"}