Cryptographic Vulnerability in OpenPGP.js Allows ECDH Private Key Exposure
CVE-2019-9155

5.9MEDIUM

Key Information:

Vendor

Openpgpjs

Status
Openpgpjs
Vendor
CVE Published:
22 August 2019

What is CVE-2019-9155?

A critical cryptographic vulnerability exists in OpenPGP.js versions 4.2.0 and earlier, which can be exploited through crafted messages. Attackers who are capable of providing forged messages and receiving feedback on decryption success can initiate an invalid curve attack, potentially leading to the exposure of the victim's ECDH private key. This vulnerability highlights the importance of robust cryptographic practices in software development.

References

https://sec-consult.com/en/blog/advisories/multiple-vulne...
x_refsource_MISC
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publi...
x_refsource_MISC
https://github.com/openpgpjs/openpgpjs/releases/tag/v4.3.0
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-9155 : Cryptographic Vulnerability in OpenPGP.js Allows ECDH Private Key Exposure