python-gnupg@0.3.5 vulnerabilities
A wrapper for the Gnu Privacy Guard (GPG or GnuPG)
-
latest version
0.5.2.dev0
-
latest non vulnerable version
-
first published
11 years ago
-
latest version published
5 months ago
-
licenses detected
- [0,)
Direct Vulnerabilities
Known vulnerabilities in the python-gnupg package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
python-gnupg is a command-line program which provides support for programmatic access via spawning a separate process to run it and then communicating with that process from your program. Affected versions of this package are vulnerable to Improper Input Validation. An attacker can inject data through the passphrase property of the The supplied passphrase is not validated for newlines, and the library passes By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted. How to fix Improper Input Validation? Upgrade |
[,0.4.4)
|
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. |
[0.3.5,0.3.6]
|
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. |
[0.3.5]
|
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. |
[0.3.5]
|