1. CVE-Search
  2. CVE-2015-8013
ID CVE-2015-8013
Summary s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.
References
Vulnerable Configurations
  • cpe:2.3:a:openpgpjs:openpgpjs:0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:0.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:0.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgpjs:openpgpjs:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:openpgpjs:openpgpjs:1.2.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 10-08-2017 - 13:15)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
refmap via4
bid 77088
confirm https://github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54306d29
mlist [oss-security] 20151030 Re: CVE Request: Openpgp.js Critical vulnerability in S2K
Last major update 10-08-2017 - 13:15
Published 25-07-2017 - 18:29
Last modified 10-08-2017 - 13:15
Back to Top