Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-zvd3-3b1h-77ef

Summary

Golang/x/crypto message forgery vulnerability
A message-forgery issue was discovered in `crypto/openpgp/clearsign/clearsign.go` in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.

Aliases

alias	CVE-2019-11841

alias	GHSA-x3jr-pf6g-c48f

Fixed_packages

url	pkg:deb/debian/golang-go.crypto@1:0.0~git20200221.2aa609c-1?distro=trixie
purl	pkg:deb/debian/golang-go.crypto@1:0.0~git20200221.2aa609c-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.0~git20200221.2aa609c-1%3Fdistro=trixie

url pkg:deb/debian/golang-go.crypto@1:0.0~git20201221.eec23a3-1

purl pkg:deb/debian/golang-go.crypto@1:0.0~git20201221.eec23a3-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1n1h-e2p4-9yhs

vulnerability	VCID-cmts-6kz4-zkh8

vulnerability	VCID-et4d-ak3r-1bfa

vulnerability	VCID-hu5a-ewvg-6ya7

vulnerability	VCID-jwxs-gteb-kfg5

vulnerability	VCID-jzn6-bzzf-nugp

vulnerability	VCID-mn45-w3s3-syej

vulnerability	VCID-n34c-71wq-s3e4

vulnerability	VCID-sty6-gwh1-hbcy

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.0~git20201221.eec23a3-1

url pkg:deb/debian/golang-go.crypto@1:0.0~git20201221.eec23a3-1?distro=trixie

purl pkg:deb/debian/golang-go.crypto@1:0.0~git20201221.eec23a3-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1n1h-e2p4-9yhs

vulnerability	VCID-cmts-6kz4-zkh8

vulnerability	VCID-et4d-ak3r-1bfa

vulnerability	VCID-hu5a-ewvg-6ya7

vulnerability	VCID-jwxs-gteb-kfg5

vulnerability	VCID-jzn6-bzzf-nugp

vulnerability	VCID-mn45-w3s3-syej

vulnerability	VCID-n34c-71wq-s3e4

vulnerability	VCID-sty6-gwh1-hbcy

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.0~git20201221.eec23a3-1%3Fdistro=trixie

url pkg:deb/debian/golang-go.crypto@1:0.4.0-1?distro=trixie

purl pkg:deb/debian/golang-go.crypto@1:0.4.0-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cmts-6kz4-zkh8

vulnerability	VCID-hu5a-ewvg-6ya7

vulnerability	VCID-jwxs-gteb-kfg5

vulnerability	VCID-jzn6-bzzf-nugp

vulnerability	VCID-mn45-w3s3-syej

vulnerability	VCID-sty6-gwh1-hbcy

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.4.0-1%3Fdistro=trixie

url pkg:deb/debian/golang-go.crypto@1:0.25.0-1?distro=trixie

purl pkg:deb/debian/golang-go.crypto@1:0.25.0-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cmts-6kz4-zkh8

vulnerability	VCID-hu5a-ewvg-6ya7

vulnerability	VCID-jwxs-gteb-kfg5

vulnerability	VCID-mn45-w3s3-syej

vulnerability	VCID-sty6-gwh1-hbcy

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.25.0-1%3Fdistro=trixie

url	pkg:deb/debian/golang-go.crypto@1:0.47.0-1?distro=trixie
purl	pkg:deb/debian/golang-go.crypto@1:0.47.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.47.0-1%3Fdistro=trixie

Affected_packages

url pkg:deb/debian/golang-go.crypto@0.0~hg190-1

purl pkg:deb/debian/golang-go.crypto@0.0~hg190-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37zk-9fax-v7e1

vulnerability	VCID-3tpx-rnju-w3dw

vulnerability	VCID-andp-4snd-rbbt

vulnerability	VCID-t5dk-qg2g-3qhp

vulnerability	VCID-zvd3-3b1h-77ef

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@0.0~hg190-1

url pkg:deb/debian/golang-go.crypto@1:0.0~git20150608-1

purl pkg:deb/debian/golang-go.crypto@1:0.0~git20150608-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37zk-9fax-v7e1

vulnerability	VCID-3tpx-rnju-w3dw

vulnerability	VCID-andp-4snd-rbbt

vulnerability	VCID-t5dk-qg2g-3qhp

vulnerability	VCID-zvd3-3b1h-77ef

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.0~git20150608-1

url pkg:deb/debian/golang-go.crypto@1:0.0~git20161012.0.5f31782-1~bpo8%2B1

purl pkg:deb/debian/golang-go.crypto@1:0.0~git20161012.0.5f31782-1~bpo8%2B1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37zk-9fax-v7e1

vulnerability	VCID-3tpx-rnju-w3dw

vulnerability	VCID-andp-4snd-rbbt

vulnerability	VCID-t5dk-qg2g-3qhp

vulnerability	VCID-zvd3-3b1h-77ef

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.0~git20161012.0.5f31782-1~bpo8%252B1

url pkg:deb/debian/golang-go.crypto@1:0.0~git20161012.0.5f31782-1

purl pkg:deb/debian/golang-go.crypto@1:0.0~git20161012.0.5f31782-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37zk-9fax-v7e1

vulnerability	VCID-3tpx-rnju-w3dw

vulnerability	VCID-andp-4snd-rbbt

vulnerability	VCID-t5dk-qg2g-3qhp

vulnerability	VCID-zvd3-3b1h-77ef

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.0~git20161012.0.5f31782-1

url pkg:deb/debian/golang-go.crypto@1:0.0~git20170407.0.55a552f%2BREALLY.0.0~git20161012.0.5f31782-1~bpo8%2B1

purl pkg:deb/debian/golang-go.crypto@1:0.0~git20170407.0.55a552f%2BREALLY.0.0~git20161012.0.5f31782-1~bpo8%2B1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37zk-9fax-v7e1

vulnerability	VCID-3tpx-rnju-w3dw

vulnerability	VCID-andp-4snd-rbbt

vulnerability	VCID-t5dk-qg2g-3qhp

vulnerability	VCID-zvd3-3b1h-77ef

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.0~git20170407.0.55a552f%252BREALLY.0.0~git20161012.0.5f31782-1~bpo8%252B1

url pkg:deb/debian/golang-go.crypto@1:0.0~git20170407.0.55a552f%2BREALLY.0.0~git20161012.0.5f31782-1

purl pkg:deb/debian/golang-go.crypto@1:0.0~git20170407.0.55a552f%2BREALLY.0.0~git20161012.0.5f31782-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37zk-9fax-v7e1

vulnerability	VCID-3tpx-rnju-w3dw

vulnerability	VCID-andp-4snd-rbbt

vulnerability	VCID-zvd3-3b1h-77ef

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.0~git20170407.0.55a552f%252BREALLY.0.0~git20161012.0.5f31782-1

url pkg:deb/debian/golang-go.crypto@1:0.0~git20181203.505ab14-1

purl pkg:deb/debian/golang-go.crypto@1:0.0~git20181203.505ab14-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-37zk-9fax-v7e1

vulnerability	VCID-3tpx-rnju-w3dw

vulnerability	VCID-andp-4snd-rbbt

vulnerability	VCID-zvd3-3b1h-77ef

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-go.crypto@1:0.0~git20181203.505ab14-1

References

reference_url

http://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-11841

reference_id

reference_type

scores

value	0.00397
scoring_system	epss
scoring_elements	0.60586
published_at	2026-04-16T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.60545
published_at	2026-04-13T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.60525
published_at	2026-04-04T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.60592
published_at	2026-04-18T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.60566
published_at	2026-04-12T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.6058
published_at	2026-04-11T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.60559
published_at	2026-04-09T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.60543
published_at	2026-04-08T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.60494
published_at	2026-04-07T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.60423
published_at	2026-04-01T12:55:00Z

value	0.00397
scoring_system	epss
scoring_elements	0.60498
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-11841

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11841
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11841

reference_url

https://github.com/golang/crypto/commit/c05e17bb3b2dca130fc919668a96b4bec9eb9442

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/golang/crypto/commit/c05e17bb3b2dca130fc919668a96b4bec9eb9442

reference_url

https://github.com/golang/crypto/tree/master/openpgp/clearsign

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/golang/crypto/tree/master/openpgp/clearsign

reference_url

https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442

reference_url

https://go-review.git.corp.google.com/c/crypto/+/173778

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://go-review.git.corp.google.com/c/crypto/+/173778

reference_url

https://groups.google.com/d/msg/golang-openpgp/6vdgZoTgbIY/K6bBY9z3DAAJ

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/d/msg/golang-openpgp/6vdgZoTgbIY/K6bBY9z3DAAJ

reference_url

https://lists.debian.org/debian-lts-announce/2019/09/msg00011.html

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2019/09/msg00011.html

reference_url

https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html

reference_url

https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-11841

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-11841

reference_url

https://pkg.go.dev/vuln/GO-2023-1992

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://pkg.go.dev/vuln/GO-2023-1992

reference_url

https://web.archive.org/web/20201207161832/https://sec-consult.com/en/blog/advisories/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20201207161832/https://sec-consult.com/en/blog/advisories/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841

Weaknesses

cwe_id	347
name	Improper Verification of Cryptographic Signature
description	The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zvd3-3b1h-77ef

Vulnerability Instance