CVE-2015-8013 – openpgp

Package

Manager: npm
Name: openpgp
Vulnerable Version: >=0 <1.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01077 pctl0.7698

Details

OpenPGP 1.2.0 and earlier decrypts arbitrary messages s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.

Metadata

Created: 2022-05-17T02:15:35Z
Modified: 2022-06-17T21:22:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qmvq-f3fj-m3wg/GHSA-qmvq-f3fj-m3wg.json
CWE IDs: []
Alternative ID: GHSA-qmvq-f3fj-m3wg
Finding: F052
Auto approve: 1