Duplicate Advisory: python-gnupg allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended
Withdrawn: Duplicate of GHSA-2fch-jvg5-crf6
Advisories for Pypi/Python-Gnupg package
2020
2019
Improper Input Validation
python-gnupg allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted.
2018
python-gnupg's shell_quote function does not properly quote strings
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
python-gnupg's shell_quote function does not properly escape characters
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
python-gnupg vulnerable to shell injection
python-gnupg 0.3.5 and 0.3.6 allow for shell injection via a failure to escape backslashes in the shell_quote() function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
High severity vulnerability that affects python-gnupg
python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.