CVE-2017-16005
Header Forgery in http-signature
描述
Affected versions of `http-signature` contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. This problem occurs because vulnerable versions of `http-signature` sign the contents of headers, but not the header names. ## Proof of Concept Consider this to be the initial, untampered request: ```http POST /pay HTTP/1.1 Host: example.com Date: Thu, 05 Jan 2012 21:31:40 GMT X-Payment-Source: [email protected] X-Payment-Destination: [email protected] Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-source x-payment-destination" MDyO5tSvin5... ``` And the request is intercepted and tampered as follows: ```http X-Payment-Source: [email protected] // Emails switched X-Payment-Destination: [email protected] Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="x-payment-destination x-payment-source" MDyO5tSvin5... ``` In the resulting responses, both requests would pass signature verification without issue. ``` [email protected]\n [email protected]\n ``` ## Recommendation Update to version 0.10.0 or higher.
如何修補 CVE-2017-16005
要修補 CVE-2017-16005,請將受影響套件升級到下列已修補版本。
- —升級至 0.10.0 或更新版本
CVE-2017-16005 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.10.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 |
|---|