cvedb.io
CVE-2017-16005
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2018-06-04T19:29:00.523 · Last modified 2026-06-17T01:08:37.837

Summary

Http-signature is a "Reference implementation of Joyent's HTTP Signature Scheme". In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.

Affected products

joyent — http-signature

Does this affect you?

Add your gear to cvedb and we'll alert you only when joyent ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.