Misleading message verification in golang.org/x/crypto/openpgp/clearsign
Overview
Source
ID
GO-2023-1992
Aliases
CVE-2019-11841
GHSA-x3jr-pf6g-c48f
Affected package
Description
The clearsign package accepts some malformed messages, making it possible for an attacker to trick a human user (but not a Go program) into thinking unverified text is part of the message.
With fix, messages with malformed headers in the SIGNED MESSAGE section are rejected.
Summary
10.07k
Total packages affected
help_outline
Packages with at least one version that is affected by the advisory or has an affected dependency.
2.52k
Packages with a known fix
help_outline
Packages with versions affected by the advisory that have a greater version that is not affected.
0.75%
Total ecosystem affected
help_outline
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 0.0.0-20190424203555-c05e17bb3b2d
Patched/Unaffected
Affected