CVE-2022-24773

ADVISORY - github

Summary

Impact

RSA PKCS#1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Patches

The issue has been addressed in node-forge 1.3.0.

For more information

If you have any questions or comments about this advisory:

Open an issue in forge
Email us at example email address

EPSS Score⁠: 0.00098 (0.418)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-347⁠

Improper Verification of Cryptographic Signature

ADVISORY - github

CWE-347⁠

Improper Verification of Cryptographic Signature

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-347⁠

Improper Verification of Cryptographic Signature

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-347⁠

Improper Verification of Cryptographic Signature

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.