CVE-2019-11841Improper Verification of Cryptographic Signature in X Crypto

CWE-347Improper Verification of Cryptographic Signature7 documents5 sources
Severity
5.9MEDIUMNVD
EPSS
0.4%
top 39.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Golang.org X CryptoDebian LinuxGolang Crypto
Timeline
PublishedMay 22
Latest updateAug 23

Description

A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequent

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

Gogolang.org/x_crypto< 0.0.0-20190424203555-c05e17bb3b2d
NVDgolang/crypto2019-03-25

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

5
OSV
Misleading message verification in golang.org/x/crypto/openpgp/clearsign2023-08-23
OSV
Golang/x/crypto message forgery vulnerability2022-05-24
GHSA
Golang/x/crypto message forgery vulnerability2022-05-24
CVEList
CVE-2019-11841: A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign2019-05-22
OSV
CVE-2019-11841: A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign2019-05-22

📋Vendor Advisories

1
Debian
CVE-2019-11841: golang-go.crypto - A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go ...2019
CVE-2019-11841 — Golang.org X Crypto vulnerability | cvebase