Improper Authentication in OpenPGP.js - CVE-2019-9153
Published: August 23, 2019
Vulnerability identifier: #VU20371
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2019-9153
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ProtonMail
Affected software:
OpenPGP.js
OpenPGP.js
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due the software does not verify the signature type during verification of a message signature. A remote attacker can send a specially crafted message with replaced signatures with a "standalone" or "timestamp" signature and forge signed messages.
How to mitigate CVE-2019-9153
Install updates from vendor's website.
Sources
- https://github.com/openpgpjs/openpgpjs/pull/797/commits/327d3e5392a6f59a4270569d200c7f7a2bfc4cbc
- https://github.com/openpgpjs/openpgpjs/pull/816
- https://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0
- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/
- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailv...