CVE-2017-16005

EPSS 0.16%
Veröffentlicht 04.06.2018 19:29:00
Zuletzt bearbeitet 21.11.2024 03:15:39
Quelle support@hackerone.com
Teams Watchlist Login
Unerledigt Login

Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Joyent ≫ Http-signature SwPlatformnode.js Version <= 0.9.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.375

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/joyent/node-http-signature/issues/10

Patch

Third Party Advisory

https://nodesecurity.io/advisories/318

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-16005

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-16005

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-16005

EUVD