browserify-sign is a package to duplicate the functionality of nodes crypto public key functions, much of this is based on Fedor Indutnys work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Browserify-sign | Browserify | * | 4.2.2 (excluding) |
| Red Hat OpenShift distributed tracing 2 | RedHat | jaeger-agent-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | jaeger-all-in-one-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | jaeger-collector-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | jaeger-es-index-cleaner-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | jaeger-es-rollover-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | jaeger-ingester-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | jaeger-operator-bundle-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | jaeger-operator-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | jaeger-query-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | opentelemetry-collector-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | opentelemetry-operator-bundle-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | opentelemetry-operator-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | tempo-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | tempo-gateway-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | tempo-gateway-opa-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | tempo-operator-bundle-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | tempo-operator-container | * |
| Red Hat OpenShift distributed tracing 2 | RedHat | tempo-query-container | * |
| Node-browserify-sign | Ubuntu | bionic | * |
| Node-browserify-sign | Ubuntu | esm-apps/bionic | * |
| Node-browserify-sign | Ubuntu | focal | * |
| Node-browserify-sign | Ubuntu | jammy | * |
| Node-browserify-sign | Ubuntu | lunar | * |
| Node-browserify-sign | Ubuntu | mantic | * |
| Node-browserify-sign | Ubuntu | trusty | * |
| Node-browserify-sign | Ubuntu | xenial | * |