Описание
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
Отчет
The issue affects the versions of python-gnupg shipped with Red Hat Update Infrastructure 3, however the vulnerable functions are never used by the product. The issue affects the versions of python-gnupg shipped with Red Hat Satellite 6, however the vulnerable functions are never used by the product.
Меры по смягчению последствий
Filter out newlines from passphrases before passing them to python-gnupg.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Satellite 6 | python-gnupg | Not affected | ||
| Red Hat Update Infrastructure 3 for Cloud Providers | python-gnupg | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg t ...
EPSS
7.5 High
CVSS3