Vulnerability Details : CVE-2014-1928
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
Vulnerability category: Input validationExecute code
Products affected by CVE-2014-1928
- cpe:2.3:a:python-gnupg_project:python-gnupg:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-1928
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-1928
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST |
CWE ids for CVE-2014-1928
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1928
-
https://code.google.com/p/python-gnupg/issues/detail?id=98
Google Code Archive - Long-term storage for Google Code Project Hosting.Exploit;Vendor Advisory
-
http://seclists.org/oss-sec/2014/q1/246
oss-sec: Re: CVE request: python-gnupg before 0.3.5 shell injectionExploit
-
https://code.google.com/p/python-gnupg/
Google Code Archive - Long-term storage for Google Code Project Hosting.
-
http://seclists.org/oss-sec/2014/q1/294
oss-sec: Re: CVE request: python-gnupg before 0.3.5 shell injectionExploit
-
http://www.debian.org/security/2014/dsa-2946
Debian -- Security Information -- DSA-2946-1 python-gnupg
Jump to