Vulnerabilities

3 via 3 paths

Dependencies

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 2
Status
  • 3
  • 0
  • 0

high severity

Improper Verification of Cryptographic Signature

  • Vulnerable module: node-forge
  • Introduced through: node-forge@1.2.1

Detailed paths

  • Introduced through: node-forge@1.2.1
    Remediation: Upgrade to node-forge@1.3.0.

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's PKCS#1 v1.5 signature verification code which does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.

Remediation

Upgrade node-forge to version 1.3.0 or higher.

References

medium severity

Improper Verification of Cryptographic Signature

  • Vulnerable module: node-forge
  • Introduced through: node-forge@1.2.1

Detailed paths

  • Introduced through: node-forge@1.2.1
    Remediation: Upgrade to node-forge@1.3.0.

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's PKCS#1 v1.5 signature verification code which does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Remediation

Upgrade node-forge to version 1.3.0 or higher.

References

medium severity

Improper Verification of Cryptographic Signature

  • Vulnerable module: node-forge
  • Introduced through: node-forge@1.2.1

Detailed paths

  • Introduced through: node-forge@1.2.1
    Remediation: Upgrade to node-forge@1.3.0.

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSAs PKCS#1` v1.5 signature verification code which is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.

Remediation

Upgrade node-forge to version 1.3.0 or higher.

References