Lucene search

GitHub Advisory DatabaseGHSA-QMVQ-F3FJ-M3WG

HistoryMay 17, 2022 - 2:15 a.m.

OpenPGP 1.2.0 and earlier decrypts arbitrary messages

2022-05-1702:15:35

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

65.1%

JSON

s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.

Affected configurations

Vulners

Node

openpgpopenpgpRange<1.3.0

CPENameOperatorVersion
openpgplt1.3.0

CPE	Name	Operator	Version
	openpgp	lt	1.3.0

References

www.openwall.com/lists/oss-security/2015/10/30/5

github.com/advisories/GHSA-qmvq-f3fj-m3wg

github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54306d29

nvd.nist.gov/vuln/detail/CVE-2015-8013

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

65.1%

JSON

Related for GHSA-QMVQ-F3FJ-M3WG