PT-2019-19397 · Openpgp · Openpgp.Js
Wolfgang Ettlinger
·
Published
2019-08-22
·
Updated
2019-08-30
·
CVE-2019-9153
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
openpgp versions prior to 4.2.0
Description
The issue allows an attacker to forge signed messages by replacing their signatures with a "standalone" or "timestamp" signature. This is due to the improper verification of a cryptographic signature in OpenPGP.js. An attacker can construct a message with a signature type that only verifies subpackets without additional input, such as
standalone or timestamp, allowing them to create arbitrary signed messages that would be verified correctly.Recommendations
Upgrade to version 4.2.0 or later.
If you are upgrading from a version <4.0.0, read the
High-Level API Changes section of the openpgp 4.0.0 release to ensure a smooth transition.Exploit
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openpgp.Js