ckalpakoglu
commented
1 year ago The issue has been closed by Kondukto since it is marked as won't fix.
Closed ckalpakoglu closed 1 year ago
ckalpakoglu
commented
1 year ago The issue has been closed by Kondukto since it is marked as won't fix.
Due Date: 2023-01-10
A high severity vulnerability has been discovered in your project.
Project Name: kondukto-ui-vue
Scanner Name: dependabot
Cwe ID: 347
Cwe Name: Improper Verification of Cryptographic Signature
Cwe Link: https://cwe.mitre.org/data/definitions/347.html
File: package-lock.json
Packages:
References:
Training(Secure Code Warrior):
Name: Improper Verification of Cryptographic Signature
Description: The software does not verify, or incorrectly verifies, the cryptographic signature for data.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/mobile/broken_cryptography
Videos:
Tool Description: ### Summary
Improper Verification of Cryptographic Signature in node-forge
Fixed Patch
1.3.0
Impact
RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.
Patches
The issue has been addressed in
node-forge1.3.0.References
For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
For more information
If you have any questions or comments about this advisory:
Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e706 Deeplink: https://github.com/advisories/GHSA-cfm4-qjh2-4765