PT-2019-19393 · Gnu+1 · Gnupg+1

Published

2019-07-09

Updated

2022-04-18

CVE-2019-9149

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mailvelope versions prior to 3.3.0

Description The issue allows private key operations without user interaction via its client-API. An attacker can modify a URL parameter in Mailvelope to sign and encrypt arbitrary messages, assuming the private key password is cached. Additionally, when the GnuPG backend is used, an attacker can decrypt an arbitrary message.

Recommendations For versions prior to 3.3.0, update to version 3.3.0 or later to resolve the issue. As a temporary workaround, consider clearing the private key password cache to prevent unauthorized access. Restrict access to the client-API to minimize the risk of exploitation. Avoid using the GnuPG backend until the issue is resolved.

Exploit

Fix

Improper Verification of Cryptographic Signature

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347CWE-863

Related Identifiers

CVE-2019-9149

Affected Products

Gnupg

Mailvelope

PT-2019-19393 · Gnu+1 · Gnupg+1

CVE-2019-9149

Weakness Enumeration

Related Identifiers

Affected Products

References · 5