CVE-2022-24771

Published: Mar 18, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

Affected (1)

Products: Digitalbazaar: Forge

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Digitalbazaar Forge	Before 1.3.0

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765

Source: security-advisories@github.com

Third Party Advisory

https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.