Homepage
About Snyk

Improper Verification of Cryptographic Signature Affecting openpgp package, versions <4.10.11 >=5.0.0 <5.10.1

0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    EPSS 0.05% (17th percentile)
Expand this section
NVD
4.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-OPENPGP-5871276
  • published 30 Aug 2023
  • disclosed 29 Aug 2023
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 29 Aug 2023

CVE-2023-41037 Open this link in a new tab
CWE-347 Open this link in a new tab

How to fix?

Upgrade openpgp to version 4.10.11, 5.10.1 or higher.

Overview

openpgp is a JavaScript implementation of the OpenPGP protocol.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when the openpgp.readCleartextMessage() and openpgp.cleartext.readArmored() functions are used. An attacker can manipulate the contents of a Cleartext Signed Message, leading the victim to believe that the manipulated text was signed by the original sender.

Note: This is only exploitable if the user or application verifies the CleartextMessage by only checking the returned verified property, discarding the associated data information, and instead visually trusting the contents of the original message.

Workaround

This vulnerability can be mitigated by checking the contents of verificationResult.data to see what data was actually signed rather than visually trusting the contents of the armored message.