CVE-2022-24772Improper Verification of Cryptographic Signature in Forge

CWE-347Improper Verification of Cryptographic Signature6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 65.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Digitalbazaar ForgeDebian Node-node-forge
Timeline
PublishedMar 18

Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDdigitalbazaar/forge< 1.3.0
debiandebian/node-node-forge< node-node-forge 0.10.0~dfsg-3+deb11u1 (bullseye)

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
CVE-2022-24772: Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript2022-03-18
OSV
Improper Verification of Cryptographic Signature in node-forge2022-03-18
GHSA
Improper Verification of Cryptographic Signature in node-forge2022-03-18

📋Vendor Advisories

2
Red Hat
node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery2022-03-18
Debian
CVE-2022-24772: node-node-forge - Forge (also called `node-forge`) is a native implementation of Transport Layer S...2022
CVE-2022-24772 — Digitalbazaar Forge vulnerability | cvebase