Vulnerability identifier: #VU20375
Vulnerability risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-310
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
OpenPGP.js
Universal components / Libraries /
Libraries used by multiple products
Vendor: ProtonMail
Description
Mitigation
Install updates from vendor's website.
Vulnerable software versions
OpenPGP.js: 0.1.0 - 4.2.0
External links
http://github.com/openpgpjs/openpgpjs/pull/853
http://github.com/openpgpjs/openpgpjs/pull/853/commits/7ba4f8c655e7fd7706e8d7334e44b40fdf56c43e
http://github.com/openpgpjs/openpgpjs/releases/tag/v4.3.0
http://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/
http://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html#download=1
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.