CVE-2019-9153 – openpgp

Package

Manager: npm
Name: openpgp
Vulnerable Version: >=0 <4.2.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00362 pctl0.57568

Details

Message Signature Bypass in openpgp Versions of `openpgp` prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type `text`. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input (such as `standalone` or `timestamp`). For example, an attacker that captures a `standalone` signature packet from a victim can construct arbitrary signed messages that would be verified correctly. ## Recommendation Upgrade to version 4.2.0 or later. If you are upgrading from a version <4.0.0 it is highly recommended to read the `High-Level API Changes` section of the `openpgp` 4.0.0 release: https://github.com/openpgpjs/openpgpjs/releases/tag/v4.0.0

Metadata

Created: 2019-08-23T21:42:20Z
Modified: 2021-08-17T22:06:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-qwqc-28w3-fww6/GHSA-qwqc-28w3-fww6.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-qwqc-28w3-fww6
Finding: F163
Auto approve: 1