node-forge: Signature verification leniency in checking `DigestInfo` structure

A flaw was found in the node-forge library when verifying the signature on the ASN.1 structure in RSA PKCS1 v1.5. This flaw allows an attacker to obtain successful verification for invalid DigestInfo structure, affecting the integrity of the attacked resource...

Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services

Summary A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services. Vulnerability Details CVEID:CVE-2022-24772 DESCRIPTION: Node.js node-forge module could allow a remote attacker to bypass security restrictions, caused by improper signature...

Digital Bazaar Forge Data Forgery Issue Vulnerability (CNVD-2022-22656)

Digital Bazaar Forge is a native implementation of Tls in Javascript and an open source tool for writing encryption-based and network-intensive Web applications from Digital Bazaar, Inc. A data forgery issue vulnerability exists in versions prior to Digital Bazaar Forge 1.3.0, which originated in...

Insecure Cryptography

node-forge improperly verifies cryptographic signatures. The vulnerability exists through improper verification of DigestInfo in the rsa.js file allowing to validate the signature in an invalid structure which allows an attacker to perform unwanted actions...

Improper Verification of Cryptographic Signature in `node-forge`

Impact RSA PKCS1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. Patches The issue has been addressed in node-forge 1.3.0. For more...

GHSA-2R2C-G63R-VCCR Improper Verification of Cryptographic Signature in `node-forge`

Impact RSA PKCS1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. Patches The issue has been addressed in node-forge 1.3.0. For more...

CVE-2022-24773

Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that...

Design/Logic Flaw

Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that...

CVE-2022-24772

Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed an...

CVE-2022-24773

Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that...

CVE-2022-24773 Improper Verification of Cryptographic Signature in `node-forge`

Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that...

Digital Bazaar Forge 数据伪造问题漏洞

Digital Bazaar Forge is a native implementation of Tls in Javascript and an open source tool for writing encryption-based and network-intensive Web applications from Digital Bazaar, Inc. A data forgery issue vulnerability exists in versions prior to Digital Bazaar Forge 1.3.0, which originated in...

GHSA-27FJ-MC8W-J9WG RSA signature validation vulnerability on maleable encoded message in jsrsasign

Impact Vulnerable jsrsasign will accept RSA signature with improper PKCS1.5 padding. Decoded RSA signature value consists following form: 01ff...8 or more ffs...ff00ASN.1 OF DigestInfo Its byte length must be the same as RSA key length, however such checking was not sufficient. To make crafted...

Mozilla Network Security Services RSA Signature Forgery (CVE-2014-1568)

An RSA signature forgery vulnerability exists in Mozilla Network Security Services NSS, the cryptographic library used in many applications including Firefox and Google Chrome. The vulnerability is a result of improper verification of RSA signatures due to incorrect ASN.1 parsing of the DigestInf...

Mozilla Network Security Services (NSS) fails to properly verify RSA signatures

Overview The Mozilla Network Security Services NSS library fails to properly verify RSA signatures due to incorrect ASN.1 parsing of DigestInfo. This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate. Description CWE-295: Improper Certificate Validation RSA...