Description
Versions of openpgp prior to 4.2.0 are vulnerable to Improper Key Verification. The OpenPGP standard allows signature packets to have subpackets which may be hashed or unhashed. Unhashed subpackets are not cryptographically protected and cannot be trusted. The openpgp package does not verify whether a subpacket is hashed.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.1.2
- Patched version(s): 4.2.0
References
- GHSA-hfmf-q43v-2ffj
- sec-consult.com
- www.bsi.bund.de
- snyk.io
- www.npmjs.com
- packetstormsecurity.com
- CVE-2019-9154
- CWE-347
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- Improper Authorization in passport-cognito - CVE-2019-19723
- matrix-js-sdk subject to user impersonation due to key/device identifier confusion in SAS verification - CVE-2022-39250
- Invalid Curve Attack in openpgp - CVE-2019-9155
- Insufficient Verification of Data Authenticity in Eclipse Theia - CVE-2019-17636
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on January 09, 2023