Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWMyN3IteDM1NC00bTY4
xml-crypto's HMAC-SHA1 signatures can bypass validation via key confusion
Impact
An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.
Patches
Version 2.0.0 has the fix.
Workarounds
The recommendation is to upgrade. In case that is not possible remove the 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.
Permalink: https://github.com/advisories/GHSA-c27r-x354-4m68JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWMyN3IteDM1NC00bTY4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
Identifiers: GHSA-c27r-x354-4m68
References:
- https://github.com/yaronn/xml-crypto/security/advisories/GHSA-c27r-x354-4m68
- https://github.com/yaronn/xml-crypto/commit/3d9db712e6232c765cd2ad6bd2902b88a0d22100
- https://www.npmjs.com/package/xml-crypto
- https://github.com/advisories/GHSA-c27r-x354-4m68
Blast Radius: 0.0
Affected Packages
npm:xml-crypto
Dependent packages: 307Dependent repositories: 7,392
Downloads: 4,475,264 last month
Affected Version Ranges: <= 1.5.3
Fixed in: 2.0.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.20, 0.0.21, 0.0.22, 0.0.23, 0.1.24, 0.1.25, 0.1.26, 0.2.26, 0.3.26, 0.4.26, 0.5.26, 0.5.27, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.9.0, 0.10.0, 0.10.1, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3
All unaffected versions: 1.5.4, 1.5.5, 1.5.6, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 4.0.0, 4.0.1, 4.1.0, 5.0.0, 5.1.0, 5.1.1, 6.0.0