CVE-2022-24773Improper Verification of Cryptographic Signature in Forge

CWE-347Improper Verification of Cryptographic Signature6 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 68.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Digitalbazaar ForgeDebian Node-node-forge
Timeline
PublishedMar 18

Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDdigitalbazaar/forge< 1.3.0
debiandebian/node-node-forge< node-node-forge 0.10.0~dfsg-3+deb11u1 (bullseye)

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Improper Verification of Cryptographic Signature in `node-forge`2022-03-18
OSV
Improper Verification of Cryptographic Signature in `node-forge`2022-03-18
OSV
CVE-2022-24773: Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript2022-03-18

📋Vendor Advisories

2
Red Hat
node-forge: Signature verification leniency in checking `DigestInfo` structure2022-03-18
Debian
CVE-2022-24773: node-node-forge - Forge (also called `node-forge`) is a native implementation of Transport Layer S...2022
CVE-2022-24773 — Digitalbazaar Forge vulnerability | cvebase