Miggo Logo
Miggo Vulnerability Database
CVE-2014-1928

CVE-2014-1928: python-gnupg's shell_quote function does not properly escape characters

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2014-1928
GHSA ID
GHSA-2jc8-4r6g-282j
EPSS Score
0.42993%
CWE
CWE-20
Published
11/6/2018
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
python-gnupgpip= 0.3.50.3.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on the shell_quote function's inadequate escaping demonstrated by:

  1. CVE description explicitly naming shell_quote as the vulnerable component
  2. Email thread showing concrete PoC where shell_quote processes backslash-containing input
  3. Historical context showing this was an incomplete fix for CVE-2013-7323
  4. Function's direct role in sanitizing inputs for shell commands makes it the primary attack surface
  5. Debian security advisory DSA-2946-1 listing this CVE confirms the function's critical role

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** s**ll_quot* *un*tion in pyt*on-*nup* *.*.* *o*s not prop*rly *s**p* ***r**t*rs, w*i** *llows *ont*xt-**p*n**nt *tt**k*rs to *x**ut* *r*itr*ry *o** vi* s**ll m*t****r**t*rs in unsp**i*i** v**tors, *s **monstr*t** usin* "\" (***ksl*s*) ***r**t*rs t

Reasoning

T** vuln*r**ility **nt*rs on t** s**ll_quot* *un*tion's in***qu*t* *s**pin* **monstr*t** *y: *. *V* **s*ription *xpli*itly n*min* s**ll_quot* *s t** vuln*r**l* *ompon*nt *. *m*il t*r*** s*owin* *on*r*t* Po* w**r* s**ll_quot* pro**ss*s ***ksl*s*-*ont*