CVE-2014-1928Improper Input Validation in Project Python-gnupg

CWE-20Improper Input Validation14 documents6 sources
Severity
7.5HIGHNVD
NVD4.6
EPSS
0.2%
top 57.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python-gnupg Project Python-gnupg
Timeline
PublishedOct 25
Latest updateNov 6

Description

The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVSS vector

AV:L/AC:L/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages3 packages

PyPIpython-gnupg_project/python-gnupg0.3.50.3.6

🔴Vulnerability Details

8
OSV
python-gnupg's shell_quote function does not properly quote strings2018-11-06
GHSA
python-gnupg's shell_quote function does not properly quote strings2018-11-06
OSV
python-gnupg's shell_quote function does not properly escape characters2018-11-06
GHSA
python-gnupg's shell_quote function does not properly escape characters2018-11-06
OSV
CVE-2014-1927: The shell_quote function in python-gnupg 02014-10-25

📋Vendor Advisories

2
Debian
CVE-2014-1927: python-gnupg - The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, ...2014
Debian
CVE-2014-1928: python-gnupg - The shell_quote function in python-gnupg 0.3.5 does not properly escape characte...2014

💬Community

2
Bugzilla
CVE-2013-7323 CVE-2014-1927 CVE-2014-1928 CVE-2014-1929 python-gnupg: incorrect fix against shell injection2014-02-05
Bugzilla
CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)2013-03-11
CVE-2014-1928 — Improper Input Validation | cvebase