Skip to content

Moderate severity vulnerability that affects python-gnupg

Moderate severity GitHub Reviewed Published Nov 6, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

pip python-gnupg (pip)

Affected versions

= 0.3.5

Patched versions

0.3.6

Description

The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

References

Published to the GitHub Advisory Database Nov 6, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

0.192%
(57th percentile)

Weaknesses

CVE ID

CVE-2014-1928

GHSA ID

GHSA-2jc8-4r6g-282j

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.