Improper Verification of Cryptographic Signature Affecting openpgp package, versions <4.10.11 >=5.0.0 <5.10.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-OPENPGP-5871276
- published 30 Aug 2023
- disclosed 29 Aug 2023
- credit Unknown
Introduced: 29 Aug 2023
CVE-2023-41037 Open this link in a new tabHow to fix?
Upgrade openpgp to version 4.10.11, 5.10.1 or higher.
Overview
openpgp is a JavaScript implementation of the OpenPGP protocol.
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when the openpgp.readCleartextMessage() and openpgp.cleartext.readArmored() functions are used. An attacker can manipulate the contents of a Cleartext Signed Message, leading the victim to believe that the manipulated text was signed by the original sender.
Note:
This is only exploitable if the user or application verifies the CleartextMessage by only checking the returned verified property, discarding the associated data information, and instead visually trusting the contents of the original message.
Workaround
This vulnerability can be mitigated by checking the contents of verificationResult.data to see what data was actually signed rather than visually trusting the contents of the armored message.