CVE-2019-9153

Description

Versions of `openpgp` prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type `text`. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input (such as `standalone` or `timestamp`). For example, an attacker that captures a `standalone` signature packet from a victim can construct arbitrary signed messages that would be verified correctly. ## Recommendation Upgrade to version 4.2.0 or later. If you are upgrading from a version <4.0.0 it is highly recommended to read the `High-Level API Changes` section of the `openpgp` 4.0.0 release: https://github.com/openpgpjs/openpgpjs/releases/tag/v4.0.0

How to fix CVE-2019-9153

To remediate CVE-2019-9153, upgrade the affected package to a fixed version below.

• —upgrade to 4.2.0 or later

Is CVE-2019-9153 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 4.2.0

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-9153
• WEBpacketstormsecurity.com/files/154191/OpenPGP.js-4.2.0-Signature-Bypass-Invalid-Curve-Attack.html
• WEBgithub.com/openpgpjs/openpgpjs/pull/797/commits/327d3e5392a6f59a4270569d200c7f7a2bfc4cbc
• WEBgithub.com/openpgpjs/openpgpjs/pull/816