CVE-2017-16005 – http-signature

Package

Manager: npm
Name: http-signature
Vulnerable Version: >=0 <0.10.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00161 pctl0.37494

Details

Header Forgery in http-signature Affected versions of `http-signature` contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. This problem occurs because vulnerable versions of `http-signature` sign the contents of headers, but not the header names. ## Proof of Concept Consider this to be the initial, untampered request: ```http POST /pay HTTP/1.1 Host: example.com Date: Thu, 05 Jan 2012 21:31:40 GMT X-Payment-Source: src@money.com X-Payment-Destination: dst@money.com Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-source x-payment-destination" MDyO5tSvin5... ``` And the request is intercepted and tampered as follows: ```http X-Payment-Source: dst@money.com // Emails switched X-Payment-Destination: src@money.com Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-destination x-payment-source" MDyO5tSvin5... ``` In the resulting responses, both requests would pass signature verification without issue. ``` src@money.com\n dst@money.com\n ``` ## Recommendation Update to version 0.10.0 or higher.

Metadata

Created: 2018-11-09T17:49:34Z
Modified: 2023-09-08T23:24:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-q257-vv4p-fg92/GHSA-q257-vv4p-fg92.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-q257-vv4p-fg92
Finding: F184
Auto approve: 1