Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2017-16005

UNKNOWN
Published 2018-06-04T19:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-16005. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

http-signature node module

Affected Versions:

<=0.9.11

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Header Forgery in http-signature

GHSA-q257-vv4p-fg92

Advisory Details

Affected versions of `http-signature` contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. This problem occurs because vulnerable versions of `http-signature` sign the contents of headers, but not the header names. ## Proof of Concept Consider this to be the initial, untampered request: ```http POST /pay HTTP/1.1 Host: example.com Date: Thu, 05 Jan 2012 21:31:40 GMT X-Payment-Source: [email protected] X-Payment-Destination: [email protected] Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-source x-payment-destination" MDyO5tSvin5... ``` And the request is intercepted and tampered as follows: ```http X-Payment-Source: [email protected] // Emails switched X-Payment-Destination: [email protected] Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-destination x-payment-source" MDyO5tSvin5... ``` In the resulting responses, both requests would pass signature verification without issue. ``` [email protected]\n [email protected]\n ``` ## Recommendation Update to version 0.10.0 or higher.

Affected Packages

npm http-signature
ECOSYSTEM: ≥0 <0.10.0

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-16005
WEB https://github.com/joyent/node-http-signature/issues/10
ADVISORY https://github.com/advisories/GHSA-q257-vv4p-fg92
WEB https://www.npmjs.com/advisories/318

Advisory provided by GitHub Security Advisory Database. Published: November 9, 2018, Modified: September 8, 2023

References

https://github.com/joyent/node-http-signature/issues/10
https://nodesecurity.io/advisories/318
Published: 2018-06-04T19:00:00Z
Last Modified: 2024-09-16T19:19:33.991Z
Copied to clipboard!