CVE-2015-8013

OpenPGP 1.2.0 and earlier decrypts arbitrary messages in npm/openpgp

Identifiers

GHSA-qmvq-f3fj-m3wg, CVE-2015-8013

Package Slug

npm/openpgp

Vulnerability

OpenPGP 1.2.0 and earlier decrypts arbitrary messages

Description

s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.

Affected Versions

All versions before 1.3.0

Solution

Upgrade to version 1.3.0 or above.

Last Modified

2022-06-19

source