Homepage
About Snyk

Improper Input Validation Affecting python-gnupg package, versions [,0.4.4)

0.0
high

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Confidentiality High
    Integrity High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 1.31% (86th percentile)
Expand this section
NVD
7.5 high
Expand this section
Red Hat
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-PYTHONGNUPG-73633
  • published 30 Jan 2019
  • disclosed 24 Jan 2019
  • credit Alexander Kjall and Stig Palmquis
Report a new vulnerability Found a mistake?

Introduced: 24 Jan 2019

CVE-2019-6690 Open this link in a new tab
CWE-20 Open this link in a new tab

How to fix?

Upgrade python-gnupg to version 0.4.4 or higher.

Overview

python-gnupg is a command-line program which provides support for programmatic access via spawning a separate process to run it and then communicating with that process from your program.

Affected versions of this package are vulnerable to Improper Input Validation. An attacker can inject data through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods when symmetric encryption is used.

The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on subsequent lines.

By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted.