Lucene search
GitHub_MCVELIST:CVE-2022-24772HistoryMar 18, 2022 - 1:30 p.m.
CVE-2022-24772 Improper Verification of Cryptographic Signature in `node-forge`
2022-03-1813:30:20
CWE-347
GitHub_M
raw.githubusercontent.com
1
0.001 Low
EPSS
Percentile
30.5%
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Related
github
github
Improper Verification of Cryptographic Signature in node-forge
2022-03-18 23:10:28
osv
osv
CVE-2022-24772
2022-03-18 14:15:10
Improper Verification of Cryptographic Signature in node-forge
2022-03-18 23:10:28
ibm
ibm
prion
prion
Code injection
2022-03-18 14:15:00
veracode
veracode
Improper Verification Of Signature
2022-03-21 11:00:54
redhatcve
redhatcve
CVE-2022-24772
2022-03-23 21:03:33
cve
cve
CVE-2022-24772
2022-03-18 14:15:00
debiancve
debiancve
CVE-2022-24772
2022-03-18 14:15:00
ubuntucve
ubuntucve
CVE-2022-24772
2022-03-18 00:00:00
redhat
redhat