CVE-2022-24772

Published: Mar 18, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

Affected (1)

Products: Digitalbazaar: Forge

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Digitalbazaar Forge	Before 1.3.0

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g

Source: security-advisories@github.com

Third Party Advisory

https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.