Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds. https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765 https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
Created cockatrice tracking bugs for this issue: Affects: fedora-all [bug 2069010] Created couchdb tracking bugs for this issue: Affects: fedora-all [bug 2069011] Created dotnet3.1 tracking bugs for this issue: Affects: fedora-all [bug 2069007] Created golang-ariga-atlas tracking bugs for this issue: Affects: fedora-all [bug 2069012] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2069008] Created golang-vitess tracking bugs for this issue: Affects: fedora-all [bug 2069013] Created grpc tracking bugs for this issue: Affects: fedora-all [bug 2069014] Created openvas-gsa tracking bugs for this issue: Affects: fedora-all [bug 2069015] Created zuul tracking bugs for this issue: Affects: fedora-all [bug 2069016]
Since grpc only references the affected package in a package-lock.json file for a sample project in the documentation, I have closed the grpc bugs as NOTABUG. (See also bug 2061818.) Iām removing the package-lock.json file from the sample project, which will hopefully keep bugs from being filed for CVEs in its recursive dependency tree in the future.
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24771
This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.11 on RHEL8 Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
This issue has been addressed in the following products: RHPAM 7.13.1 async Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835