Miggo Logo

CVE-2013-7323: High severity vulnerability that affects python-gnupg

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.77669%
CWE
-
Published
11/6/2018
Updated
10/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
python-gnupgpip< 0.3.50.3.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper shell argument sanitization when invoking GPG. The patch in 0.3.5 introduced a shell_quote() function specifically to address command injection via shell metacharacters. The _make_args method is the logical location where command-line arguments are constructed for GPG subprocess calls. Prior to 0.3.5, this function lacked proper input sanitization, as evidenced by the addition of shell_quote() in the patch and multiple CVE descriptions confirming command injection via argument vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

pyt*on-*nup* ***or* *.*.* *llows *ont*xt-**p*n**nt *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* s**ll m*t****r**t*rs in unsp**i*i** v**tors.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s**ll *r*um*nt s*nitiz*tion w**n invokin* *P*. T** p*t** in *.*.* intro*u*** * s**ll_quot*() *un*tion sp**i*i**lly to ***r*ss *omm*n* inj**tion vi* s**ll m*t****r**t*rs. T** _m*k*_*r*s m*t*o* is t** lo*i**l lo**t