PT-2022-16869 · Unknown · Node-Forge

Moosa Yahyazadeh

Published

2022-03-18

Updated

2022-03-28

CVE-2022-24773

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions node-forge versions prior to 1.3.0

Description The issue concerns the RSA PKCS#1 v1.5 signature verification code in node-forge, which does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Recommendations For node-forge versions prior to 1.3.0, update to version 1.3.0 to address the issue. As a temporary workaround, consider restricting the use of the RSA PKCS#1 v1.5 signature verification code until a patch is applied.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2022-24773

GHSA-2R2C-G63R-VCCR

Affected Products

Node-Forge

PT-2022-16869 · Unknown · Node-Forge

CVE-2022-24773

Weakness Enumeration

Related Identifiers

Affected Products

References · 14