{"id":"CVE-2023-41037","summary":"Cleartext Signed Message Signature Spoofing in openpgpjs","details":"OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a \"Hash: ...\" header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the \"Hash: ...\" texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed. A user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned `verified` property, discarding the associated `data` information, and instead _visually trusting_ the contents of the original message. Since `verificationResult.data` would always contain the actual signed data, users and apps that check this information are not vulnerable. Similarly, given a CleartextMessage object, retrieving the data using `getText()` or the `text` field returns only the contents that are considered when verifying the signature. Finally, re-armoring a CleartextMessage object (using `armor()` will also result in a \"sanitised\" version, with the extraneous text being removed. This issue has been addressed in version 5.10.1 (current stable version) which will reject messages when calling `openpgp.readCleartextMessage()` and in version 4.10.11 (legacy version) which will will reject messages when calling `openpgp.cleartext.readArmored()`. Users are advised to upgrade. Users unable to upgrade should check the contents of `verificationResult.data` to see what data was actually signed, rather than visually trusting the contents of the armored message.","aliases":["GHSA-ch3c-v47x-4pgp"],"modified":"2026-04-10T05:01:02.373900Z","published":"2023-08-29T16:46:47.708Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-347"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41037.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41037.json"},{"type":"ADVISORY","url":"https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-ch3c-v47x-4pgp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41037"},{"type":"FIX","url":"https://github.com/openpgpjs/openpgpjs/commit/6b43e02a254853f5ff508ebd1b07541f78b7c566"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openpgpjs/openpgpjs","events":[{"introduced":"0"},{"fixed":"d8a1e25a5248a066356e0130668d4055209b5f74"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.10.11"}]}},{"type":"GIT","repo":"https://github.com/openpgpjs/openpgpjs","events":[{"introduced":"acafb2866128d11dd55b7d0927957cd3880c7422"},{"fixed":"5d02e3a03e45fd4e6153d309ff2f18882e9a810a"}],"database_specific":{"versions":[{"introduced":"5.0.0"},{"fixed":"5.10.1"}]}}],"versions":["v0.10.0","v0.10.1","v0.10.2","v0.10.3","v0.11.0","v0.11.1","v0.2.0","v0.2.1","v0.3.0","v0.3.1","v0.3.2","v0.4.0","v0.4.1","v0.5.0","v0.5.1","v0.6.0","v0.6.1","v0.6.2","v0.6.3","v0.6.5","v0.7.0","v0.7.1","v0.7.2","v0.8.0","v0.8.1","v0.8.2","v0.9.0","v1.0.0","v1.0.1","v1.1.0","v1.2.0","v1.3.0","v1.4.0","v1.4.1","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.5.6","v1.5.7","v2.0.0","v2.0.1","v2.1.0","v2.2.0","v2.2.1","v2.2.2","v2.3.0","v2.3.1","v2.3.2","v3.0.11","v3.0.12","v3.0.13","v3.0.4","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.1","v3.1.2","v4.0.0","v4.0.1","v4.0.2","v4.1.0","v4.1.1","v4.1.2","v4.10.0","v4.10.1","v4.10.10","v4.10.2","v4.10.3","v4.10.4","v4.10.5","v4.10.6","v4.10.7","v4.10.8","v4.10.9","v4.2.0","v4.2.1","v4.2.2","v4.3.0","v4.4.1","v4.4.2","v4.4.3","v4.4.4","v4.4.5","v4.4.6","v4.4.7","v4.5.1","v4.5.2","v4.5.3","v4.5.4","v4.5.5","v4.6.0","v4.6.1","v4.6.2","v4.7.0","v4.7.1","v4.7.2","v4.8.0","v4.8.1","v4.9.0","v4.9.1","v5.0.0","v5.0.1","v5.1.0","v5.10.0","v5.2.0","v5.2.1","v5.3.0","v5.3.1","v5.4.0","v5.5.0","v5.6.0","v5.7.0","v5.8.0","v5.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41037.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}