Improper Verification of Cryptographic Signature in node-forge
Fixed Patch
1.3.0
Impact
RSA PKCS#1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
Patches
The issue has been addressed in node-forge1.3.0.
For more information
If you have any questions or comments about this advisory:
Due Date: 2023-01-10
A medium severity vulnerability has been discovered in your project.
Project Name: kondukto-ui-vue
Scanner Name: dependabot
Cwe ID: 347
Cwe Name: Improper Verification of Cryptographic Signature
Cwe Link: https://cwe.mitre.org/data/definitions/347.html
File: package-lock.json
Packages:
References:
Training(Secure Code Warrior):
Name: Improper Verification of Cryptographic Signature
Description: The software does not verify, or incorrectly verifies, the cryptographic signature for data.
Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/mobile/broken_cryptography
Videos:
Tool Description: ### Summary
Improper Verification of Cryptographic Signature in
node-forge
Fixed Patch
1.3.0
Impact
RSA PKCS#1 v1.5 signature verification code is not properly checking
DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.Patches
The issue has been addressed in
node-forge
1.3.0
.For more information
If you have any questions or comments about this advisory:
Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e708 Deeplink: https://github.com/advisories/GHSA-2r2c-g63r-vccr