org.webjars.npm:openpgp 1.4.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:openpgp package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Improper Verification of Cryptographic Signature org.webjars.npm:openpgp is a JavaScript implementation of the OpenPGP protocol. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when the `openpgp.readCleartextMessage()` and `openpgp.cleartext.readArmored()` functions are used. An attacker can manipulate the contents of a Cleartext Signed Message, leading the victim to believe that the manipulated text was signed by the original sender. Note: This is only exploitable if the user or application verifies the `CleartextMessage` by only checking the returned `verified` property, discarding the associated `data` information, and instead visually trusting the contents of the original message. How to fix Improper Verification of Cryptographic Signature? Upgrade `org.webjars.npm:openpgp` to version 4.10.11, 5.10.1 or higher.	[,4.10.11)[5.0.0,5.10.1)
H Invalid Curve Attack org.webjars.npm:openpgp is a JavaScript implementation of the OpenPGP protocol. Affected versions of this package are vulnerable to Invalid Curve Attack. It allows an attacker, who is already able provide forged messages and gain feedback about whether decryption of these messages succeeded, to conduct an invalid curve attack in order to gain the victim's ECDH private key. How to fix Invalid Curve Attack? Upgrade `org.webjars.npm:openpgp` to version 4.2.1 or higher.	[,4.2.1)
M Message Signature Bypass org.webjars.npm:openpgp is a JavaScript implementation of the OpenPGP protocol. Affected versions of this package are vulnerable to Message Signature Bypass. OpenPGP defines several types of signatures with each type carrying a different semantic. Signatures are implemented as packets and each signature packet can contain subpackets. To indicate a message signature (e.g. a signed e-mail), the signature type “text” is used. The text signature packet verifies both its subpackets as well as the signed text. During verification of a message signature, OpenPGP.js does not verify that the signature is of type text. An attacker could therefore construct a message that, instead of a text signature, contains a signature of another type. As the input required for the verification process depends on the signature type, an attacker could use a signature with a type that only verifies its subpackets and does not require additional input. An attacker could construct a message that contains a valid “standalone” or “timestamp” signature packet signed by another person. OpenPGP.js would incorrectly assume this message to be signed by that person. How to fix Message Signature Bypass? Upgrade `org.webjars.npm:openpgp` to version 4.2.0 or higher.	[,4.2.0)
M Improper Authentication org.webjars.npm:openpgp is a JavaScript implementation of the OpenPGP protocol. Affected versions of this package are vulnerable to Improper Authentication. OpenPGP signature subpackets contain information related to a signature (e.g. the creation timestamp). These subpackets may appear in a “hashed” and “unhashed” subpacket container. While the information in the hashed subpackets is signed, the unhashed subpackets are not cryptographically protected. An attacker could arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker could e.g. convince a victim to use an obsolete key for encryption. How to fix Improper Authentication? Upgrade `org.webjars.npm:openpgp` to version 4.2.0 or higher.	[,4.2.0)

Vulnerability

Vulnerable Version

Improper Verification of Cryptographic Signature

org.webjars.npm:openpgp is a JavaScript implementation of the OpenPGP protocol.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when the openpgp.readCleartextMessage() and openpgp.cleartext.readArmored() functions are used. An attacker can manipulate the contents of a Cleartext Signed Message, leading the victim to believe that the manipulated text was signed by the original sender.

Note: This is only exploitable if the user or application verifies the CleartextMessage by only checking the returned verified property, discarding the associated data information, and instead visually trusting the contents of the original message.

How to fix Improper Verification of Cryptographic Signature?

Upgrade org.webjars.npm:openpgp to version 4.10.11, 5.10.1 or higher.

[,4.10.11)[5.0.0,5.10.1)

Invalid Curve Attack

org.webjars.npm:openpgp is a JavaScript implementation of the OpenPGP protocol.

Affected versions of this package are vulnerable to Invalid Curve Attack. It allows an attacker, who is already able provide forged messages and gain feedback about whether decryption of these messages succeeded, to conduct an invalid curve attack in order to gain the victim's ECDH private key.

How to fix Invalid Curve Attack?

Upgrade org.webjars.npm:openpgp to version 4.2.1 or higher.

[,4.2.1)

Message Signature Bypass

org.webjars.npm:openpgp is a JavaScript implementation of the OpenPGP protocol.

Affected versions of this package are vulnerable to Message Signature Bypass. OpenPGP defines several types of signatures with each type carrying a different semantic. Signatures are implemented as packets and each signature packet can contain subpackets.

To indicate a message signature (e.g. a signed e-mail), the signature type “text” is used. The text signature packet verifies both its subpackets as well as the signed text.

During verification of a message signature, OpenPGP.js does not verify that the signature is of type text. An attacker could therefore construct a message that, instead of a text signature, contains a signature of another type. As the input required for the verification process depends on the signature type, an attacker could use a signature with a type that only verifies its subpackets and does not require additional input.

An attacker could construct a message that contains a valid “standalone” or “timestamp” signature packet signed by another person. OpenPGP.js would incorrectly assume this message to be signed by that person.

How to fix Message Signature Bypass?

Upgrade org.webjars.npm:openpgp to version 4.2.0 or higher.

[,4.2.0)

Improper Authentication

org.webjars.npm:openpgp is a JavaScript implementation of the OpenPGP protocol.

Affected versions of this package are vulnerable to Improper Authentication. OpenPGP signature subpackets contain information related to a signature (e.g. the creation timestamp). These subpackets may appear in a “hashed” and “unhashed” subpacket container. While the information in the hashed subpackets is signed, the unhashed subpackets are not cryptographically protected.

An attacker could arbitrarily modify the contents of e.g. a key certification signature or revocation signature. As a result, the attacker could e.g. convince a victim to use an obsolete key for encryption.

How to fix Improper Authentication?

Upgrade org.webjars.npm:openpgp to version 4.2.0 or higher.

[,4.2.0)

org.webjars.npm:openpgp@1.4.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?