Message Forgery Vulnerability in Go Cryptography Libraries
CVE-2019-11841

5.9MEDIUM

Key Information:

Vendor: Golang
Status: Crypto
Vendor: CVE Published:; 22 May 2019

What is CVE-2019-11841?

A message-forgery issue in the Go cryptography libraries permits attackers to spoof cleartext signed messages. The Clearsign package disregards the 'Hash' Armor Header, leading to potential misrepresentation of the message digest algorithms used in signatures. An attacker could embed arbitrary Armor Headers or prepend text to messages, which compromises the integrity of signed communications. This flaw highlights significant security concerns related to message authenticity and integrity.

References

https://sec-consult.com/

https://go.googlesource.com/crypto/

http://packetstormsecurity.com/files/152840/Go-Cryptograp...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2019
Vulnerability Reserved
May 9, 2019

Golang

What is CVE-2019-11841?

References

CVSS V3.1

Timeline