Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Forge | Digitalbazaar | * | 1.3.0 (excluding) |
| OpenShift Service Mesh 2.1 | RedHat | openshift-service-mesh/kiali-rhel8:1.36.9-1 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 | RedHat | rhacm2/console-rhel8:v2.4.4-4 | * |
| Red Hat OpenShift Data Foundation 4.11 on RHEL8 | RedHat | odf4/mcg-core-rhel8:v4.11.0-30 | * |
| Red Hat OpenShift Data Foundation 4.11 on RHEL8 | RedHat | odf4/odf-console-rhel8:v4.11.0-51 | * |
| RHINT Service Registry 2.3.0 GA | RedHat | node-forge | * |
| RHPAM 7.13.1 async | RedHat | node-forge | * |
| Node-node-forge | Ubuntu | impish | * |
| Node-node-forge | Ubuntu | kinetic | * |
| Node-node-forge | Ubuntu | trusty | * |
| Node-node-forge | Ubuntu | xenial | * |