Improper Input Validation

Affecting python-gnupg package, versions [,0.4.4)

Overview

python-gnupg is a command-line program which provides support for programmatic access via spawning a separate process to run it and then communicating with that process from your program.

Affected versions of this package are vulnerable to Improper Input Validation. An attacker can inject data through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods when symmetric encryption is used.

The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on subsequent lines.

By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted.

Remediation

Upgrade python-gnupg to version 0.4.4 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

7.1
high severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Credit
Alexander Kjall and Stig Palmquis
CVE
CVE-2019-6690
CWE
CWE-20
Snyk ID
SNYK-PYTHON-PYTHONGNUPG-73633
Disclosed
24 Jan, 2019
Published
30 Jan, 2019