Skip to content

xml-crypto's HMAC-SHA1 signatures can bypass validation via key confusion

High severity GitHub Reviewed Published Oct 26, 2020 in node-saml/xml-crypto • Updated Jan 11, 2023

Package

npm xml-crypto (npm)

Affected versions

<= 1.5.3

Patched versions

2.0.0

Description

Impact

An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.

Patches

Version 2.0.0 has the fix.

Workarounds

The recommendation is to upgrade. In case that is not possible remove the 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.

References

@yaronn yaronn published to node-saml/xml-crypto Oct 26, 2020
Reviewed Oct 27, 2020
Published to the GitHub Advisory Database Oct 27, 2020
Last updated Jan 11, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-c27r-x354-4m68

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.