7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-9153

GHSA ID

GHSA-qwqc-28w3-fww6

EPSS Score

0.57619%

CWE

CWE-347

Published

8/23/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-9153

CVE-2019-9153: Message Signature Bypass in openpgp

Versions of openpgp prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type text. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input (such as standalone or timestamp). For example, an attacker that captures a standalone signature packet from a victim can construct arbitrary signed messages that would be verified correctly.

Recommendation

Upgrade to version 4.2.0 or later. If you are upgrading from a version <4.0.0 it is highly recommended to read the High-Level API Changes section of the openpgp 4.0.0 release: https://github.com/openpgpjs/openpgpjs/releases/tag/v4.0.0

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-9153

GHSA ID

GHSA-qwqc-28w3-fww6

EPSS Score

0.57619%

CWE

CWE-347

Published

8/23/2019

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
openpgp	npm	<= 4.1.2	4.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper signature type validation during message verification. The commit 327d3e5 shows the fix was adding a filter to only accept 'text' or 'binary' signature types in createVerificationObjects. The test case in message_signature_bypass.js demonstrates how replacing a text signature with a standalone signature would be accepted without this filter. The function's pre-patch behavior of processing all signature types without type validation directly enabled the signature bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `op*np*p` prior to *.*.* *r* vuln*r**l* to M*ss*** Si*n*tur* *yp*ss. T** p**k*** **ils to v*ri*y t**t * m*ss*** si*n*tur* is o* typ* `t*xt`. T*is *llows *n *tt**k*r to to *onstru*t * m*ss*** wit* * si*n*tur* typ* t**t only v*ri*i*s su*p**

Reasoning

T** vuln*r**ility st*ms *rom improp*r si*n*tur* typ* v*li**tion *urin* m*ss*** v*ri*i**tion. T** *ommit ******* s*ows t** *ix w*s ***in* * *ilt*r to only ****pt 't*xt' or '*in*ry' si*n*tur* typ*s in *r**t*V*ri*i**tionO*j**ts. T** t*st **s* in m*ss***

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-9153: Message Signature Bypass in openpgp

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI