High severity vulnerability that affects python-gnupg
High severity
GitHub Reviewed
Published
Nov 6, 2018
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Published to the GitHub Advisory Database
Nov 6, 2018
Reviewed
Jun 16, 2020
Last updated
Jan 9, 2023
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
References