CVE-2022-24773

Published: Mar 18, 2022Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

Affected (1)

Products: Digitalbazaar: Forge

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Digitalbazaar Forge	Before 1.3.0

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr

Source: security-advisories@github.com

Third Party Advisory

https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.