Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature. Upstream issue: https://github.com/joyent/node-http-signature/issues/10 External references: https://nodesecurity.io/advisories/318
Created nodejs-http-signature tracking bugs for this issue: Affects: epel-all [bug 1588847] Affects: fedora-all [bug 1588848]
The current versions (0.10.0 for nodejs4 and 1.1.1 for nodejs6) of http-signature shipped in Red Hat Software Collections are not affected.
The current versions of http-signature used in RHMAP 4.6 are not affected.
The current version of http-signature (0.11.0-1.el7aos) used in OCP 3.x are not affected.