Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
browserify-sign vulnerable via an upper bound check issue in `dsaVerify` that leads to a signature forgery attack
Vulnerability Description
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
browserify-sign 数据伪造问题漏洞
Vulnerability Description
browserify-sign是一个用于复制节点加密公钥功能的包。 browserify-sign 存在安全漏洞,该漏洞源于dsaVerify函数中的上限检查存在问题,允许攻击者可以通过任何公钥成功验证签名,从而导致签名伪造攻击。
CVSS Information
N/A
Vulnerability Type
N/A