CVE-2019-11627OS Command Injection in Project Signing-party

CWE-78OS Command Injection5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.5%
top 35.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Signing-party Project Signing-partyDebian Signing-partyDebian Linux+1 more
Timeline
PublishedApr 30
Latest updateMay 24

Description

gpg-key2ps in signing-party 1.1.x and 2.x before 2.10-1 contains an unsafe shell call enabling shell injection via a User ID.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

debiandebian/signing-party< signing-party 2.10-1 (bookworm)
NVDopensuse/leap15.0, 42.3+1

Also affects: Debian Linux 8.0

🔴Vulnerability Details

2
GHSA
GHSA-rc9j-5pgx-7w89: gpg-key2ps in signing-party 12022-05-24
OSV
CVE-2019-11627: gpg-key2ps in signing-party 12019-04-30

📋Vendor Advisories

1
Debian
CVE-2019-11627: signing-party - gpg-key2ps in signing-party 1.1.x and 2.x before 2.10-1 contains an unsafe shell...2019

💬Community

1
Bugzilla
CVE-2018-11627 rubygem-sinatra: XSS in the 400 Bad Request page2018-06-01
CVE-2019-11627 — OS Command Injection | cvebase