प्लेटफ़ॉर्म
nodejs
घटक
node-forge
में ठीक किया गया
1.3.0
CVE-2022-24773 affects the node-forge library, a JavaScript library for cryptographic primitives. This vulnerability allows attackers to bypass RSA PKCS#1 v1.5 signature verification by exploiting a flaw in how the DigestInfo is validated for proper ASN.1 structure. Successful exploitation could allow attackers to forge signatures, potentially leading to unauthorized access or data manipulation. The vulnerability is resolved in version 1.3.0.
The core of this vulnerability lies in the flawed validation of the DigestInfo component within RSA PKCS#1 v1.5 signatures. node-forge fails to rigorously check the ASN.1 structure, permitting signatures with invalid structures to be accepted as valid if the digest itself matches. This means an attacker can craft a malicious signature with a subtly altered ASN.1 structure but a valid hash, effectively bypassing the verification process. The potential impact is significant, as it could allow attackers to impersonate legitimate entities or tamper with digitally signed data without detection. For example, an attacker could forge a signature on a software update, tricking a user's system into installing malware. The blast radius depends on the applications using node-forge and the sensitivity of the data being protected by these signatures.
CVE-2022-24773 was published on March 18, 2022. Its severity is rated as MEDIUM (CVSS 5.3). There is no indication of this vulnerability being actively exploited in the wild, nor is it currently listed on KEV or EPSS. Public proof-of-concept (POC) code is not widely available, which may limit immediate exploitation. Refer to the Digital Bazaar advisory and the node-forge GitHub repository for further details.
एक्सप्लॉइट स्थिति
EPSS
0.13% (32% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2022-24773 is to upgrade to node-forge version 1.3.0 or later, which includes the necessary fixes for ASN.1 structure validation. If upgrading immediately is not feasible, consider implementing stricter input validation on the signatures being processed. While not a complete solution, this can add a layer of defense. Review your application's code to identify all instances where node-forge is used for signature verification and ensure that the updated version is deployed as soon as possible. After upgrading, confirm the fix by attempting to verify a known-malformed signature – it should now be rejected.
Actualice la biblioteca `node-forge` a la versión 1.3.0 o superior para corregir la vulnerabilidad. Esta actualización aborda la verificación incorrecta de la firma criptográfica RSA PKCS#1 v1.5, previniendo la verificación exitosa de firmas con estructuras ASN.1 inválidas.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
It's a vulnerability in the node-forge library allowing attackers to bypass RSA signature verification due to improper ASN.1 structure validation.
If you're using a version of node-forge prior to 1.3.0, you are potentially affected by this vulnerability.
Upgrade to node-forge version 1.3.0 or later to resolve the vulnerability. Implement stricter input validation as a temporary measure.
There is currently no public evidence of active exploitation of CVE-2022-24773.
Refer to the Digital Bazaar advisory on GitHub: https://github.com/digitalbazaar/forge and the NVD entry for more information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।