Description
Versions of openpgp prior to 4.2.0 are vulnerable to Improper Key Verification. The OpenPGP standard allows signature packets to have subpackets which may be hashed or unhashed. Unhashed subpackets are not cryptographically protected and cannot be trusted. The openpgp package does not verify whether a subpacket is hashed.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.1.2
- Patched version(s): 4.2.0
References
- GHSA-hfmf-q43v-2ffj
- sec-consult.com
- www.bsi.bund.de
- snyk.io
- www.npmjs.com
- packetstormsecurity.com
- CVE-2019-9154
- CWE-347
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- bson-objectid contains Improper input validation - CVE-2019-19729
- Insufficient Verification of Data Authenticity in Eclipse Theia - CVE-2019-17636
- Improper Verification of Cryptographic Signature in node-forge - CVE-2022-24772
- Improper Verification of Cryptographic Signature in node-forge - node-forge - CVE-2022-24771
You might also like:
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on January 09, 2023


