Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds. https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2
Created cockatrice tracking bugs for this issue: Affects: fedora-all [bug 2069028] Created couchdb tracking bugs for this issue: Affects: fedora-all [bug 2069030] Created dotnet3.1 tracking bugs for this issue: Affects: fedora-all [bug 2069027] Created golang-ariga-atlas tracking bugs for this issue: Affects: fedora-all [bug 2069031] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2069036] Created golang-vitess tracking bugs for this issue: Affects: fedora-all [bug 2069032] Created grpc tracking bugs for this issue: Affects: fedora-all [bug 2069033] Created openvas-gsa tracking bugs for this issue: Affects: fedora-all [bug 2069034] Created zuul tracking bugs for this issue: Affects: fedora-all [bug 2069035]
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681
This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24773
This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.11 on RHEL8 Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835