GHSA-2r2c-g63r-vccr

Suggest an improvement
Source
https://github.com/advisories/GHSA-2r2c-g63r-vccr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-2r2c-g63r-vccr/GHSA-2r2c-g63r-vccr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2r2c-g63r-vccr
Aliases
Published
2022-03-18T23:10:48Z
Modified
2023-11-08T04:08:35.918577Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Improper Verification of Cryptographic Signature in `node-forge`
Details

Impact

RSA PKCS#1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Patches

The issue has been addressed in node-forge 1.3.0.

For more information

If you have any questions or comments about this advisory: * Open an issue in forge * Email us at example email address

References

Affected packages

npm / node-forge

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.0