Miggo Logo

CVE-2014-1927: python-gnupg's shell_quote function does not properly quote strings

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.71688%
Published
11/6/2018
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
python-gnupgpip= 0.3.50.3.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper shell quoting in the shell_quote function. The provided code snippets and mailing list discussions show version 0.3.5's implementation would wrap strings starting/ending with ' in " quotes while only escaping existing " characters. This leaves $(command) sequences unneutralized when executed in a shell context. The function is directly named in CVE descriptions and security advisories as the root cause of incomplete quoting that enables command injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** s**ll_quot* *un*tion in pyt*on-*nup* *.*.* *o*s not prop*rly quot* strin*s, w*i** *llows *ont*xt-**p*n**nt *tt**k*rs to *x**ut* *r*itr*ry *o** vi* s**ll m*t****r**t*rs in unsp**i*i** v**tors, *s **monstr*t** usin* "$(" *omm*n*-su*stitution s*qu*n

Reasoning

T** vuln*r**ility **nt*rs on improp*r s**ll quotin* in t** `s**ll_quot*` *un*tion. T** provi*** *o** snipp*ts *n* m*ilin* list *is*ussions s*ow v*rsion *.*.*'s impl*m*nt*tion woul* wr*p strin*s st*rtin*/*n*in* wit* ' in " quot*s w*il* only *s**pin* *