Improper Verification of Cryptographic Signature in `node-forge` - node-forge - GHSA-2r2c-g63r-vccr

Severity:: Medium

Description

RSA PKCS#1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Recommendation

Update the node-forge package to the latest compatible version. Followings are version details:

Affected version(s): < 1.3.0
Patched version(s): 1.3.0

References

GHSA-2r2c-g63r-vccr
CVE-2022-24773
CWE-347
CAPEC-310
OWASP 2021-A2
OWASP 2021-A6

Related Issues

Improper Verification of Cryptographic Signature in node-forge - CVE-2022-24772
Improper Verification of Cryptographic Signature in node-forge - node-forge - CVE-2022-24771
Improper Verification of Cryptographic Signature - CVE-2021-32685
Open Redirect in node-forge - CVE-2022-0122

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; node-forge

Anything's wrong? Let us know Last updated on January 27, 2023