Lucene search
GoogleOSV:CVE-2022-24772HistoryMar 18, 2022 - 2:15 p.m.
CVE-2022-24772
2022-03-1814:15:10
Google
osv.dev
12
cve-2022-24772
javascript
rsa
pkcs#1 v1.5
signature verification
asn.1
security vulnerability
EPSS
0.001
Percentile
36.5%
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
Related
github
github
Improper Verification of Cryptographic Signature in node-forge
2022-03-18 23:10:28
ibm
ibm
debiancve
debiancve
CVE-2022-24772
2022-03-18 14:15:10
ubuntucve
ubuntucve
CVE-2022-24772
2022-03-18 00:00:00
nvd
nvd
CVE-2022-24772
2022-03-18 14:15:10
cve
cve
CVE-2022-24772
2022-03-18 14:15:10
cvelist
cvelist
redhatcve
redhatcve
CVE-2022-24772
2022-03-23 21:03:33
veracode
veracode
Improper Verification Of Signature
2022-03-21 11:00:54
osv
osv
Improper Verification of Cryptographic Signature in node-forge
2022-03-18 23:10:28
prion
prion
Code injection
2022-03-18 14:15:00
nessus
nessus
RHEL 8 : pcs (Unpatched Vulnerability)
2024-06-03 00:00:00
redhat
redhat