Published: 22/08/2019 Updated: 30/08/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an malicious user to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openpgpjs openpgpjs

Full Disclosure mailing list archives   By Date By Thread </form>    SEC Consult SA-20190822-0 :: Multiple Vulnerabilities in OpenPGPjs  <!--X-Head-of-Message- ...

investigate vulnerability of opgp-service to message signature bypass (CVE-2019-9153) of openpgp

CVE-2019-9153 vulnerability reproduce PoC based on setup from BSI investigate vulnerability of opgp-service API to such an attack run tests with: npm test conclusion: opgp-service is by default setup with AEAD_protect=true which protects against the signature bypass attack described in CVE-2019-9153 LICENSE: MIT Copyright 2019 Sté

CWE-347 https://github.com/openpgpjs/openpgpjs/pull/797/commits/327d3e5392a6f59a4270569d200c7f7a2bfc4cbc https://github.com/openpgpjs/openpgpjs/pull/816 https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html#download=1 https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/https://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0 http://packetstormsecurity.com/files/154191/OpenPGP.js-4.2.0-Signature-Bypass-Invalid-Curve-Attack.html https://nvd.nist.gov https://github.com/ZenyWay/opgp-service-cve-2019-9153 http://seclists.org/fulldisclosure/2019/Aug/18

CVE-2019-9153

Vulnerability Summary

Vulnerability Trend

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect