Описание
Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs-http-signature | Will not fix | ||
| Red Hat Mobile Application Platform 4 | nodejs-http-signature | Not affected | ||
| Red Hat OpenShift Enterprise 3 | nodejs-http-signature | Not affected | ||
| Red Hat Software Collections | rh-nodejs4-nodejs-http-signature | Not affected | ||
| Red Hat Software Collections | rh-nodejs6-nodejs-http-signature | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.
Http-signature is a "Reference implementation of Joyent's HTTP Signatu ...
EPSS
7.5 High
CVSS3