Description
s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.3.0
- Patched version(s): 1.3.0
References
Related Issues
- Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CVE-2023-45133
- @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input - CVE-2026-44728
- Possible inject arbitrary `CSS` into the generated graph affecting the container HTML - CVE-2022-31108
- matrix-js-sdk subject to impersonated messages due to permissive key forwarding - CVE-2022-39249
You might also like:
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on January 27, 2023


