Improper Verification of Cryptographic Signature Affecting openpgp package, versions <4.10.11>=5.0.0 <5.10.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.08% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-OPENPGP-5871276
  • published30 Aug 2023
  • disclosed29 Aug 2023
  • creditUnknown

Introduced: 29 Aug 2023

CVE-2023-41037  (opens in a new tab)
CWE-347  (opens in a new tab)

How to fix?

Upgrade openpgp to version 4.10.11, 5.10.1 or higher.

Overview

openpgp is a JavaScript implementation of the OpenPGP protocol.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when the openpgp.readCleartextMessage() and openpgp.cleartext.readArmored() functions are used. An attacker can manipulate the contents of a Cleartext Signed Message, leading the victim to believe that the manipulated text was signed by the original sender.

Note: This is only exploitable if the user or application verifies the CleartextMessage by only checking the returned verified property, discarding the associated data information, and instead visually trusting the contents of the original message.

Workaround

This vulnerability can be mitigated by checking the contents of verificationResult.data to see what data was actually signed rather than visually trusting the contents of the armored message.

CVSS Scores

version 3.1