CVE-2022-24771

Опубликовано: 18 мар. 2022

Источник: ubuntu

Приоритет: medium

CVSS2: 5

CVSS3: 7.5

Описание

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Релиз	Статус	Примечание
devel	DNE
esm-apps/focal	needs-triage
esm-apps/jammy	needs-triage
focal	ignored	end of standard support, was needs-triage
impish	ignored	end of life
jammy	needs-triage
kinetic	ignored	end of life, was needs-triage
lunar	DNE
mantic	DNE
noble	DNE

Показывать по

Ссылки на источники

5 Medium

CVSS2

7.5 High

CVSS3

Связанные уязвимости

CVE-2022-24771

CVSS3: 7.5

redhat

почти 4 года назад

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

CVE-2022-24771

CVSS3: 7.5

nvd

почти 4 года назад

CVE-2022-24771

CVSS3: 7.5

debian

почти 4 года назад

Forge (also called `node-forge`) is a native implementation of Transpo ...

GHSA-cfm4-qjh2-4765

CVSS3: 7.5

github

почти 4 года назад

Improper Verification of Cryptographic Signature in node-forge

5 Medium

CVSS2

7.5 High

CVSS3

CVE-2022-24771

Описание

Пакет node-node-forge

Ссылки на источники

Связанные уязвимости