Описание
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
A flaw was found in Forge (also known as node-forge), a JavaScript implementation of Transport Layer Security (TLS). The pki.verifyCertificateChain() function does not properly enforce certificate validation rules. This oversight allows an intermediate certificate that lacks specific security extensions to enable any leaf certificate to function as a Certificate Authority (CA) and sign other certificates. Consequently, node-forge could accept these unauthorized certificates as valid, potentially leading to spoofing or the issuance of illegitimate certificates.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | io.cryostat-cryostat | Affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel9 | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-operator-bundle | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-proxy-rhel9 | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-rhel9-operator | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-curator5-rhel9 | Will not fix | ||
| Red Hat Ansible Automation Platform 2 | automation-eda-controller | Affected | ||
| Red Hat Ansible Automation Platform 2 | automation-gateway | Affected | ||
| Red Hat Ansible Automation Platform 2 | automation-platform-ui | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
Forge (also called `node-forge`) is a native implementation of Transpo ...
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
EPSS
7.4 High
CVSS3