CVE-2019-9155: Cryptographic Issues

August 22, 2019 (updated August 30, 2019)

A cryptographic issue in OpenPGP.js allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim’s ECDH private key.

References

packetstormsecurity.com/files/154191/OpenPGP.js-4.2.0-Signature-Bypass-Invalid-Curve-Attack.html
nvd.nist.gov/vuln/detail/CVE-2019-9155

Detect and mitigate CVE-2019-9155 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →