Improper Key Verification in openpgp

🗓️ 23 Aug 2019 21:42:18Reported by GitHub Advisory DatabaseType

Improper Key Verification in openpgp prior to 4.2.0 allows attackers to manipulate key certification or revocation signatures, potentially leading to the use of obsolete keys for encryption. Upgrading to version 4.2.0 or later is recommended

Reporter	Title	Published	Views	Family All 8
CVE	CVE-2019-9154	22 Aug 201915:39	–	cve
Cvelist	CVE-2019-9154	22 Aug 201915:39	–	cvelist
EUVD	EUVD-2019-0635	7 Oct 202500:30	–	euvd
Node.js	Improper Key Verification	6 Sep 201920:20	–	nodejs
NVD	CVE-2019-9154	22 Aug 201916:15	–	nvd
OSV	GHSA-HFMF-Q43V-2FFJ Improper Key Verification in openpgp	23 Aug 201921:42	–	osv
Prion	Input validation	22 Aug 201916:15	–	prion
Veracode	Improper Verification Of Cryptographic Signature	23 Aug 201902:00	–	veracode

Vulners

Node

openpgp openpgpRange≤4.1.2npm

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2019-9154
github	www.github.com/openpgpjs/openpgpjs/pull/797
github	www.github.com/openpgpjs/openpgpjs/pull/797/commits/47138eed61473e13ee8f05931119d3e10542c5e1
github	www.github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0
sec-consult	www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/
bsi	www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html
snyk	www.snyk.io/vuln/SNYK-JS-OPENPGP-460247
npmjs	www.npmjs.com/advisories/1161
packetstormsecurity	www.packetstormsecurity.com/files/154191/OpenPGP.js-4.2.0-Signature-Bypass-Invalid-Curve-Attack.html
github	www.github.com/advisories/GHSA-hfmf-q43v-2ffj

09 Jan 2023 05:02Current

1.4Low risk

Vulners AI Score1.4

CVSS 25

CVSS 37.5

EPSS0.00389

CWE-347