GHSA-c27r-x354-4m68

Source

https://github.com/advisories/GHSA-c27r-x354-4m68

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-c27r-x354-4m68/GHSA-c27r-x354-4m68.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c27r-x354-4m68

Published

2020-10-27T20:39:46Z

Modified

2022-08-02T20:03:05Z

Summary

xml-crypto's HMAC-SHA1 signatures can bypass validation via key confusion

Details

Impact

An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.

Patches

Version 2.0.0 has the fix.

Workarounds

The recommendation is to upgrade. In case that is not possible remove the 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.

Database specific

{
    "github_reviewed_at": "2020-10-27T20:35:52Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

npm / xml-crypto

Package

Name: xml-crypto; View open source insights on deps.dev
Purl: pkg:npm/xml-crypto

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.0

Database specific

{
    "last_known_affected_version_range": "<= 1.5.3"
}