CVE-2015-8013: OpenPGP 1.2.0 and earlier decrypts arbitrary messages

May 17, 2022 (updated June 17, 2022)

s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.

References

www.openwall.com/lists/oss-security/2015/10/30/5
github.com/advisories/GHSA-qmvq-f3fj-m3wg
github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54306d29
nvd.nist.gov/vuln/detail/CVE-2015-8013

Code Behaviors & Features

Detect and mitigate CVE-2015-8013 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →