Vulnerability Description
s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openpgpjs | Openpgpjs | <= 1.2.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2015/10/30/5Mailing List
- http://www.securityfocus.com/bid/77088Third Party AdvisoryVDB Entry
- https://github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54PatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2015/10/30/5Mailing List
- http://www.securityfocus.com/bid/77088Third Party AdvisoryVDB Entry
- https://github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54PatchThird Party Advisory
FAQ
What is CVE-2015-8013?
CVE-2015-8013 is a vulnerability with a CVSS score of 7.5 (HIGH). s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentica...
How severe is CVE-2015-8013?
CVE-2015-8013 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8013?
Check the references section above for vendor advisories and patch information. Affected products include: Openpgpjs Openpgpjs.