CVE-2019-6690
python-gnupg - security update
7.5
HIGH
CVSS 3.1
EPSS 21.4%
Description
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
How to fix CVE-2019-6690
To remediate CVE-2019-6690, upgrade the affected package to a fixed version below.
- —upgrade to 0.4.4-1 or later
- —upgrade to 0.3.6-1+deb8u1 or later
- —upgrade to 0.4.4 or later
- —upgrade to 0.4.4 or later
- —upgrade to 0.4.4 or later
Is CVE-2019-6690 being exploited?
Moderate — EPSS is 21.4%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (5)
- from 0, < 0.4.4-1
- from 0, < 0.3.6-1+deb8u1
- from 0, < 0.4.4
- from 0, < 0.4.4
- from 0, < 0.4.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |