CVE-2022-24773 | node-forge:0.10.0 (CWE-347)

[ckalpakoglu]

Due Date: 2023-01-10

A medium severity vulnerability has been discovered in your project.

Project Name: kondukto-ui-vue

Scanner Name: dependabot

Cwe ID: 347

Cwe Name: Improper Verification of Cryptographic Signature

Cwe Link: https://cwe.mitre.org/data/definitions/347.html

File: package-lock.json

Packages:

• node-forge:0.10.0

References:

• https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr
• https://nvd.nist.gov/vuln/detail/CVE-2022-24773
• https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
• https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2
• https://github.com/advisories/GHSA-2r2c-g63r-vccr

Training(Secure Code Warrior):

• Name: Improper Verification of Cryptographic Signature

• Description: The software does not verify, or incorrectly verifies, the cryptographic signature for data.

• Link: https://portal.securecodewarrior.com/?utm_source=partner-integration:kondukto#/contextual-microlearning/mobile/broken_cryptography

• Videos:

---

Tool Description: ### Summary

Improper Verification of Cryptographic Signature in node-forge

Fixed Patch

1.3.0

Impact

RSA PKCS#1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Patches

The issue has been addressed in node-forge 1.3.0.

For more information

If you have any questions or comments about this advisory:

• Open an issue in forge
• Email us at example email address

Kondukto Link: https://82.kondukto.local/projects/63b2e875fcd0c2a01b845757/vulns/appsec?page=1&perPage=15&id=in:63bbc8a5b3a8a9664878e708 Deeplink: https://github.com/advisories/GHSA-2r2c-g63r-vccr

[ckalpakoglu]

The issue has been closed by Kondukto since it is marked as won't fix.