CVE-2019-9155

low-risk
Published 2019-08-22

A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim's ECDH private key.

Do I need to act?

-
0.31% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Openpgpjs

Affected Vendors

Openpgpjs

References (12)

Third Party Advisory http://packetstormsecurity.com/files/154191/OpenPGP.js-4.2.0-Signature-Bypass-In...
Third Party Advisory https://github.com/openpgpjs/openpgpjs/pull/853
Patch https://github.com/openpgpjs/openpgpjs/pull/853/commits/7ba4f8c655e7fd7706e8d733...
Release Notes https://github.com/openpgpjs/openpgpjs/releases/tag/v4.3.0
Exploit https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-j...
Third Party Advisory https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvel...
Third Party Advisory http://packetstormsecurity.com/files/154191/OpenPGP.js-4.2.0-Signature-Bypass-In...
Third Party Advisory https://github.com/openpgpjs/openpgpjs/pull/853
Patch https://github.com/openpgpjs/openpgpjs/pull/853/commits/7ba4f8c655e7fd7706e8d733...
Release Notes https://github.com/openpgpjs/openpgpjs/releases/tag/v4.3.0
Exploit https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-j...
Third Party Advisory https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvel...
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal