New: Corgea AI Pentesting — autonomous penetration testing in hours, not weeks
UNKNOWN npm

xml-crypto's HMAC-SHA1 signatures can bypass validation via key confusion

GHSA-c27r-x354-4m68

Published · Modified

Description

Impact

An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.

Patches

Version 2.0.0 has the fix.

Workarounds

The recommendation is to upgrade. In case that is not possible remove the 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.

Ready to move

Start Securing

Free, no credit card | First findings in minutes