GMS-2020-561: HMAC-SHA1 signatures can bypass validation via key confusion

October 27, 2020 (updated September 27, 2021)

Impact

An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation.

Patches

has the fix.

Workarounds

The recommendation is to upgrade. In case that is not possible remove the ‘http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.

References

github.com/advisories/GHSA-c27r-x354-4m68
github.com/yaronn/xml-crypto/commit/3d9db712e6232c765cd2ad6bd2902b88a0d22100
github.com/yaronn/xml-crypto/security/advisories/GHSA-c27r-x354-4m68
www.npmjs.com/package/xml-crypto

Detect and mitigate GMS-2020-561 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →