search

OS2iot / OS2iot-backend

This repository contains the backend to the project OS2iot.
Mozilla Public License 2.0
10 stars 7 forks source link

Fix CVE–2022–24771 #186

Closed debricked[bot] closed 1 year ago

debricked[bot] commented 2 years ago

CVE–2022–24771

Vulnerable dependency:     node-forge (npm)    0.10.0

Vulnerability details

Description ### Improper Verification of Cryptographic Signature > The software does not verify, or incorrectly verifies, the cryptographic signature for data. ### NVD > Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds. ### GitHub > Improper Verification of Cryptographic Signature in node-forge > > ### Impact > > RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. > > ### Patches > > The issue has been addressed in `node-forge` `1.3.0`. > > ### References > > For more information, please see > ["Bleichenbacher's RSA signature forgery based on implementation error"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/) > by Hal Finney. > > ### For more information > > If you have any questions or comments about this advisory: > * Open an issue in [forge](https://github.com/digitalbazaar/forge) > * Email us at [example email address](mailto:security@digitalbazaar.com)
CVSS details - 7.5   |CVSS3 metrics|| |:-|:-| |Attack Vector|**Network**| |Attack Complexity|**Low**| |Privileges Required|**None**| |User interaction|**None**| |Scope|**Unchanged**| |Confidentiality|**None**| |Integrity|**High**| |Availability|**None**|
References     [Improper Verification of Cryptographic Signature in node-forge · CVE-2022-24771 · GitHub Advisory Database · GitHub](https://github.com/advisories/GHSA-cfm4-qjh2-4765)[](https://github.com/advisories/GHSA-cfm4-qjh2-4765)     [NVD - CVE-2022-24771](https://nvd.nist.gov/vuln/detail/CVE-2022-24771)[](https://nvd.nist.gov/vuln/detail/CVE-2022-24771)     [RSA PKCS#1 v1.5 signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery. · Advisory · digitalbazaar/forge · GitHub](https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765)[](https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765)     [Fix signature verification issues. · digitalbazaar/forge@3f0b49a · GitHub](https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1)[](https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1)     [Add advisory links. · digitalbazaar/forge@bb822c0 · GitHub](https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2)[](https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2)

 

Related information

:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE

 

GufCab commented 1 year ago

Merged into latest release on master (v.1.3.0). Closing.