CVE-2019-6690: Improper Input Validation
(updated )
python-gnupg allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted.
References
- lists.opensuse.org/opensuse-security-announce/2019-02/msg00008.html
- lists.opensuse.org/opensuse-security-announce/2019-02/msg00058.html
- packetstormsecurity.com/files/151341/Python-GnuPG-0.4.3-Improper-Input-Validation.html
- www.securityfocus.com/bid/106756
- cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6690
- cwe.mitre.org/data/definitions/20.html
- nvd.nist.gov/vuln/detail/CVE-2019-6690
- seclists.org/bugtraq/2019/Jan/41
Detect and mitigate CVE-2019-6690 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →