CVE-2009-0217: XML signature HMAC truncation authentication bypass

July 14, 2009 (updated October 12, 2018)

This package uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

References

svn.apache.org/viewvc?view=revision&revision=794013
bugzilla.redhat.com/CVE-2009-0217

Detect and mitigate CVE-2009-0217 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →