CVE-2017-16005
Header Forgery in http-signature
Description
Affected versions of `http-signature` contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. This problem occurs because vulnerable versions of `http-signature` sign the contents of headers, but not the header names. ## Proof of Concept Consider this to be the initial, untampered request: ```http POST /pay HTTP/1.1 Host: example.com Date: Thu, 05 Jan 2012 21:31:40 GMT X-Payment-Source: [email protected] X-Payment-Destination: [email protected] Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-source x-payment-destination" MDyO5tSvin5... ``` And the request is intercepted and tampered as follows: ```http X-Payment-Source: [email protected] // Emails switched X-Payment-Destination: [email protected] Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-destination x-payment-source" MDyO5tSvin5... ``` In the resulting responses, both requests would pass signature verification without issue. ``` [email protected]\n [email protected]\n ``` ## Recommendation Update to version 0.10.0 or higher.
How to fix CVE-2017-16005
To remediate CVE-2017-16005, upgrade the affected package to a fixed version below.
- —upgrade to 0.10.0 or later
Is CVE-2017-16005 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.10.0