UNKNOWN npm
xml-crypto's HMAC-SHA1 signatures can bypass validation via key confusion
GHSA-c27r-x354-4m68
Published · Modified
Description
Impact
An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.
Patches
Version 2.0.0 has the fix.
Workarounds
The recommendation is to upgrade. In case that is not possible remove the 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.
Ready to move
Start Securing
Free, no credit card | First findings in minutes