Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Verification of Cryptographic Signature in `node-forge`
Vulnerability Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
Digital Bazaar Forge 数据伪造问题漏洞
Vulnerability Description
Digital Bazaar Forge是美国Digital Bazaar公司的一个 Tls 在 Javascript 中的本机实现以及用于编写基于加密和网络密集型 Web 应用程序的开源工具。 Digital Bazaar Forge1.3.0之前版本存在数据伪造问题漏洞,该漏洞源于SA PKCS#1 v1.5 签名验证码无法正确检查 DigestInfo 以获得正确的 ASN.1 结构。攻击者可以发送特殊的签名利用该漏洞以验证包含无效结构但有效摘要的签名。
CVSS Information
N/A
Vulnerability Type
N/A