@app-config/cli (>=2.0.2 <=3.0.0-alpha.6), @app-config/config (>=2.1.0 <=2.9.0-beta.3) +196 more potentially affected by CVE-2019-9155 via openpgp (>=0.11.1 <=4.10.9)

openpgp NPM version =0.11.1, =2.0.2, =2.1.0, =2.1.0, =2.7.0, =2.1.0, =2.8.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.6.0, =2.6.0, =2.8.0, =1.1.0, =1.6.4-rds-3.0 and more Source cves: CVE-2019-9155 Source advisory: OSV:GHSA-77JF-FJJF-XCWW...

CVE-2019-9155

CVE-2019-9155 affects OpenPGP.js up to version 4.2.0, where the ECDH implementation fails to validate the partner’s public key, enabling an attacker who can forge messages and observe decryption outcomes to perform an invalid-curve attack and potentially exfiltrate the victim’s ECDH private key. ...