CVE-2022-24772 (High) detected in node-forge-1.2.1.tgz #1366
Labels
cve
Security vulnerabilities detected by Dependabot or Mend
high severity
High severity CVE
Mend: dependency security vulnerability
Security vulnerability detected by Mend
v2.0.0
CVE-2022-24772 - High Severity Vulnerability
Vulnerable Library - node-forge-1.2.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.2.1.tgz
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Forge (also called
node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding aDigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed innode-forge
version 1.3.0. There are currently no known workarounds.Publish Date: 2022-03-18
URL: CVE-2022-24772
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution: node-forge - 1.3.0
The text was updated successfully, but these errors were encountered: