CVE-2023-41037

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Aug 29, 2023
Updated: Sep 8, 2023
CWE ID 347

Summary

CVE-2023-41037 affects OpenPGP.js, a JavaScript implementation of the OpenPGP protocol, up to version 5.9.0. This vulnerability allows malicious parties to manipulate Cleartext Signed Messages, as the software ignored data preceding "Hash: ..." texts during signature verification. As a result, attackers could add arbitrary text to a message, leading victims to believe it was signed. To avoid falling victim to this attack, users and applications should not solely rely on the `verified` property or visually trust the message contents, but instead verify the data in `verificationResult.data`. The issue has been resolved in versions 5.10.1 and 4.10.11, and users are advised to upgrade. Until then, manually checking `verificationResult.data` is recommended.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share