HIGH🇬🇧 English

CVE-2017-16005

CVSS 7.5v3.0pub. 2018-06-04upd. 2024-11-21

Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.

oryginał EN
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Joyent Http Signature

    APP
    Joyent
    ≤ 0.9.11
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2020-27678CRITICAL9.8ten sam vendor

An issue was discovered in illumos before 2020-10-22, as used in OmniOS before r151030by, r151032ay, and r1510...

CVE-2020-7712HIGH7.2ten sam vendor

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup...

CVE-2018-3737HIGH7.5ten sam vendor

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

CVE-2018-1171HIGH7.0ten sam vendor

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS...

CVE-2018-1165HIGH7.0ten sam vendor

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS...