CVE-2019-9155 – openpgp

Package

Manager: npm
Name: openpgp
Vulnerable Version: >=0 <4.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00285 pctl0.51592

Details

Invalid Curve Attack in openpgp Versions of `openpgp` prior to 4.3.0 are vulnerable to an Invalid Curve Attack. The package's implementation of ECDH fails to verify the validity of the communication partner's public key. The package calculates the resulting key secret based on an altered curve instead of the specified elliptic curve. Attackers may exfiltrate the victim's private key by choosing the altered curve. An attack requires the attacker being able to initiate message decryption and record the result. Furthermore the victim's key must offer an ECDH public key. ## Recommendation Upgrade to version 4.3.0 or later. If you are upgrading from a version <4.0.0 it is highly recommended to read the `High-Level API Changes` section of the `openpgp` 4.0.0 release: https://github.com/openpgpjs/openpgpjs/releases/tag/v4.0.0

Metadata

Created: 2019-08-23T21:42:22Z
Modified: 2021-07-27T21:15:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-77jf-fjjf-xcww/GHSA-77jf-fjjf-xcww.json
CWE IDs: ["CWE-327"]
Alternative ID: GHSA-77jf-fjjf-xcww
Finding: F052
Auto approve: 1