Описание
xml-crypto's HMAC-SHA1 signatures can bypass validation via key confusion
Impact
An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.
Patches
Version 2.0.0 has the fix.
Workarounds
The recommendation is to upgrade. In case that is not possible remove the 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.
Пакеты
Наименование
xml-crypto
npm
Затронутые версииВерсия исправления
<= 1.5.3
2.0.0
Дефекты
CWE-287
Дефекты
CWE-287