QwikSec

Security Database

CVE

CWE

Training

CVE-2019-9155

Published: Aug 22, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim's ECDH private key.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-openpgp-js/

x_refsource_MISC

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Mailvelope_Extensions/Mailvelope_Extensions_pdf.html#download=1

x_refsource_MISC

https://github.com/openpgpjs/openpgpjs/releases/tag/v4.3.0

x_refsource_CONFIRM

https://github.com/openpgpjs/openpgpjs/pull/853

x_refsource_CONFIRM

https://github.com/openpgpjs/openpgpjs/pull/853/commits/7ba4f8c655e7fd7706e8d7334e44b40fdf56c43e

x_refsource_CONFIRM

http://packetstormsecurity.com/files/154191/OpenPGP.js-4.2.0-Signature-Bypass-Invalid-Curve-Attack.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.