<p>Upgrade <code>xml-crypto</code> to version 2.0.0 or higher.</p>

Signature Validation Bypass Affecting xml-crypto package, versions <2.0.0

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-XMLCRYPTO-1023301
published 28 Oct 2020
disclosed 27 Oct 2020
credit Brian Wolff

Report a new vulnerability Found a mistake?

Introduced: 27 Oct 2020

CWE-347 Open this link in a new tab

How to fix?

Upgrade xml-crypto to version 2.0.0 or higher.

Overview

xml-crypto is a xml digital signature and encryption library for Node.js.

Affected versions of this package are vulnerable to Signature Validation Bypass. An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

None
Availability (A)

None

Signature Validation Bypass Affecting xml-crypto package, versions <2.0.0

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 27 Oct 2020

How to fix?

Overview

References

CVSS Scores

Snyk