The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade openpgp
to version 4.10.11, 5.10.1 or higher.
openpgp is a JavaScript implementation of the OpenPGP protocol.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when the openpgp.readCleartextMessage()
and openpgp.cleartext.readArmored()
functions are used. An attacker can manipulate the contents of a Cleartext Signed Message, leading the victim to believe that the manipulated text was signed by the original sender.
Note:
This is only exploitable if the user or application verifies the CleartextMessage
by only checking the returned verified
property, discarding the associated data
information, and instead visually trusting the contents of the original message.
This vulnerability can be mitigated by checking the contents of verificationResult.data
to see what data was actually signed rather than visually trusting the contents of the armored message.