CVE-2017-16005 - AskarLabs CVE Database

CVE-2017-16005

Vendor Hackerone

Product http-signature node module

Weakness CWE-20 · Input validation

Published June 4, 2018

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.

Key dates

02Disclosure timeline

June 4, 2018 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2017-16005

Related vulnerabilities

04Related CVE

CVE-2026-21690 iccDEV has Type Confusion in CIccTagXmlTagData::ToXml() CVE-2026-0543 Improper Input Validation in Kibana Email Connector Leading to Excessive Allocation CVE-2026-24936 An improper input validation vulnerability was found in ADM while joining a AD Domain. CVE-2021-36048 XMP Toolkit SDK Improper Input Validation Could Lead To Arbitrary Code Execution CVE-2021-0267 Junos OS: Receipt of a crafted DHCP packet will cause the jdhcpd DHCP service to core.