Fluid Attacks Database

Description

Improper Verification of Cryptographic Signature in node-forge

Impact

RSA PKCS#1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Patches

The issue has been addressed in node-forge 1.3.0.

For more information

If you have any questions or comments about this advisory:

Open an issue in forge

Email us at example email address

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	node-node-forge	=0.10.0~dfsg-3 \|\| >=0 <0.10.0~dfsg-3+deb11u1	0.10.0~dfsg-3+deb11u1
npm	node-forge	>=0 <1.3.0	1.3.0
npm	forge	>=0 <1.3.0	2.1.0
rpm rhel8	pcs	-	-

Aliases

1. CVE-2022-247732. NVD-2022-247733. OSV-DEBIAN-2022-247734. OSV-2022-247735. GHSA-2r2c-g63r-vccr6. GCVE-2022-247737. SECURITY-TRACKER-CVE-2022-247738. GHSA-2r2c-g63r-vccr

References

1. https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr2. https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df13. https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2