Miggo Logo

CVE-2019-9153: Message Signature Bypass in openpgp

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.57619%
Published
8/23/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
openpgpnpm<= 4.1.24.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper signature type validation during message verification. The commit 327d3e5 shows the fix was adding a filter to only accept 'text' or 'binary' signature types in createVerificationObjects. The test case in message_signature_bypass.js demonstrates how replacing a text signature with a standalone signature would be accepted without this filter. The function's pre-patch behavior of processing all signature types without type validation directly enabled the signature bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `op*np*p` prior to *.*.* *r* vuln*r**l* to M*ss*** Si*n*tur* *yp*ss. T** p**k*** **ils to v*ri*y t**t * m*ss*** si*n*tur* is o* typ* `t*xt`. T*is *llows *n *tt**k*r to to *onstru*t * m*ss*** wit* * si*n*tur* typ* t**t only v*ri*i*s su*p**

Reasoning

T** vuln*r**ility st*ms *rom improp*r si*n*tur* typ* v*li**tion *urin* m*ss*** v*ri*i**tion. T** *ommit ******* s*ows t** *ix w*s ***in* * *ilt*r to only ****pt 't*xt' or '*in*ry' si*n*tur* typ*s in *r**t*V*ri*i**tionO*j**ts. T** t*st **s* in m*ss***