Improper Verification of Cryptographic Signature in node-forge
Fixed Patch
1.3.0
Impact
RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.
Due Date: 2023-01-10
A high severity vulnerability has been discovered in your project.
Project Name: kondukto-ui-vue
Scanner Name: dependabot
Cwe ID: 347
Cwe Name: Improper Verification of Cryptographic Signature
Cwe Link: https://cwe.mitre.org/data/definitions/347.html
File: package-lock.json
Packages:
References:
Training(Secure Code Warrior):
Name: Improper Verification of Cryptographic Signature
Description: The software does not verify, or incorrectly verifies, the cryptographic signature for data.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/mobile/broken_cryptography
Videos:
Tool Description: ### Summary
Improper Verification of Cryptographic Signature in node-forge
Fixed Patch
1.3.0
Impact
RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a
DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.Patches
The issue has been addressed in
node-forge
1.3.0
.References
For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
For more information
If you have any questions or comments about this advisory:
Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5fcca3d519b1e228a Deeplink: https://github.com/advisories/GHSA-x4jg-mjrx-434g