High severityNVD Advisory· Published Aug 22, 2019· Updated Aug 4, 2024
CVE-2019-9154
CVE-2019-9154
Description
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openpgpnpm | < 4.2.0 | 4.2.0 |
Affected products
2- OpenPGP.js/OpenPGP.jsdescription
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-hfmf-q43v-2ffjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-9154ghsaADVISORY
- packetstormsecurity.com/files/154191/OpenPGP.js-4.2.0-Signature-Bypass-Invalid-Curve-Attack.htmlghsax_refsource_MISCWEB
- github.com/openpgpjs/openpgpjs/pull/797ghsax_refsource_CONFIRMWEB
- github.com/openpgpjs/openpgpjs/pull/797/commits/47138eed61473e13ee8f05931119d3e10542c5e1ghsax_refsource_CONFIRMWEB
- github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0ghsax_refsource_CONFIRMWEB
- sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-jsghsaWEB
- sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/mitrex_refsource_MISC
- snyk.io/vuln/SNYK-JS-OPENPGP-460247ghsaWEB
- www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.htmlghsax_refsource_MISCWEB
- www.npmjs.com/advisories/1161ghsaWEB
News mentions
0No linked articles in our index yet.