Описание
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
A flaw was found in browserify-sign node package. This issue may allow a malicious user to execute a signature forgery attack by not correctly checking cryptographic signatures for DSA data, resulting in a jeopardized environment.
Отчет
An attacker could impact the integrity of a server when handling unknown input due to the lack of DSA verification, for example, pretending to be a legitimate user, gaining unauthorized access. Therefore, the impact for this vulnerability is important. Red Hat Fuse 7 uses browserify-sign as a transitive development dependency, hence the Low impact.
Меры по смягчению последствий
No current mitigation is yet available for this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-api-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-db-migration-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-ui-rhel8 | Affected | ||
| OpenShift Serverless | browserify-sign | Will not fix | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/kiali-rhel8 | Will not fix | ||
| Red Hat 3scale API Management Platform 2 | browserify-sign | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | aap-azure-ui | Not affected | ||
| Red Hat build of Apicurio Registry 2 | browserify-sign | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
browserify-sign is a package to duplicate the functionality of node's ...
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
7.5 High
CVSS3