CVE-2017-16005: Improper Verification of Cryptographic Signature

June 4, 2018 (updated October 9, 2019)

http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.

References

nvd.nist.gov/vuln/detail/CVE-2017-16005

Detect and mitigate CVE-2017-16005 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →