Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
supplementary Go cryptography libraries 数据伪造问题漏洞
Vulnerability Description
supplementary Go cryptography libraries是一个加密库。 supplementary Go cryptography libraries 2019-03-25版本中的crypto/openpgp/clearsign/clearsign.go文件存在数据伪造问题漏洞。攻击者可利用该漏洞伪造消息头。
CVSS Information
N/A
Vulnerability Type
N/A