Vulnerability CVE-2019-6690

Vulnerability Name:

CVE-2019-6690 (CCN-156203)

Assigned:

2019-01-25

Published:

2019-01-25

Updated:

2022-04-06

Summary:

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

9.1 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
8.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

9.4 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2019-6690

Source: SUSE
Type: Mailing List, Third Party Advisory
SU-2019:0143-1

Source: SUSE
Type: Mailing List, Third Party Advisory
SUSE-SU-2019:0239-1

Source: MISC
Type: Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html

Source: BID
Type: Broken Link
106756

Source: MISC
Type: Third Party Advisory
https://blog.hackeriet.no/cve-2019-6690-python-gnupg-vulnerability/

Source: XF
Type: UNKNOWN
pythongnupg-cve20196690-sec-bypass(156203)

Source: CCN
Type: python-gnupg Web site
python-gnupg - A Python wrapper for GnuPG

Source: MLIST
Type: Mailing List, Third Party Advisory
[SECURITY] [DLA 1675-1] 20190214 python-gnupg security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20211228 [SECURITY] [DLA 2862-1] python-gnupg security update

Source: FEDORA
Type: Broken Link
FEDORA-2020-e67d007a67

Source: FEDORA
Type: Broken Link
FEDORA-2019-06f5bbdaf5

Source: FEDORA
Type: Broken Link
FEDORA-2020-17fb3273b2

Source: CCN
Type: Packet Storm Security [01-25-2019]
Python GnuPG 0.4.3 Improper Input Validation

Source: MISC
Type: Product, Third Party Advisory
https://pypi.org/project/python-gnupg/#history

Source: BUGTRAQ
Type: Mailing List, Third Party Advisory
20190125 CVE-2019-6690: Improper Input Validation in python-gnupg

Source: CCN
Type: BugTraq Mailing List, Fri, 25 Jan 2019 10:58:23 +0100
CVE-2019-6690: Improper Input Validation in python-gnupg

Source: UBUNTU
Type: Third Party Advisory
USN-3964-1

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-6690

Vulnerable Configuration:

Configuration 1:

cpe:/a:python:python-gnupg:0.4.3:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:opensuse:leap:15.0:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:suse:backports:-:*:*:*:*:*:*:*

AND

cpe:/o:suse:linux_enterprise:15.0:*:*:*:*:*:*:*

Configuration 5:

cpe:/o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:python:python-gnupg:0.4.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20196690	V	CVE-2019-6690	2023-06-22
oval:org.opensuse.security:def:7780	P	python3-python-gnupg-0.4.7-150400.1.4 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3177	P	libgme0-0.6.0-5.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94807	P	python3-python-gnupg-0.4.7-150400.1.4 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:113290	P	python36-python-gnupg-0.4.7-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106702	P	python36-python-gnupg-0.4.7-1.2 on GA media (Moderate)	2021-10-01
oval:com.ubuntu.xenial:def:201966900000000	V	CVE-2019-6690 on Ubuntu 16.04 LTS (xenial) - medium.	2019-03-21
oval:com.ubuntu.bionic:def:20196690000	V	CVE-2019-6690 on Ubuntu 18.04 LTS (bionic) - medium.	2019-03-21
oval:com.ubuntu.disco:def:201966900000000	V	CVE-2019-6690 on Ubuntu 19.04 (disco) - medium.	2019-03-21
oval:com.ubuntu.cosmic:def:20196690000	V	CVE-2019-6690 on Ubuntu 18.10 (cosmic) - medium.	2019-03-21
oval:com.ubuntu.cosmic:def:201966900000000	V	CVE-2019-6690 on Ubuntu 18.10 (cosmic) - medium.	2019-03-21
oval:com.ubuntu.trusty:def:20196690000	V	CVE-2019-6690 on Ubuntu 14.04 LTS (trusty) - medium.	2019-03-21
oval:com.ubuntu.bionic:def:201966900000000	V	CVE-2019-6690 on Ubuntu 18.04 LTS (bionic) - medium.	2019-03-21
oval:com.ubuntu.xenial:def:20196690000	V	CVE-2019-6690 on Ubuntu 16.04 LTS (xenial) - medium.	2019-03-21

BACK