CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45244
https://notcve.org/view.php?id=CVE-2024-45244
25 Aug 2024 — Hyperledger Fabric through 2.5.9 does not verify that a request has a timestamp within the expected time window. • https://github.com/shanker-sec/HLF_TxTime_spoofing • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22192 – Ursa CL-Signatures Revocation allows verifiers to generate unique identifiers for holders
https://notcve.org/view.php?id=CVE-2024-22192
16 Jan 2024 — Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof. The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder ... • https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21670 – CL-Signatures Revocation Scheme in Ursa has flaws that allow a holder to demonstrate non-revocation of a revoked credential
https://notcve.org/view.php?id=CVE-2024-21670
16 Jan 2024 — Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. A verifier may verify a credential from a holder as being "not revoked" when in fact, the holder's credential has been r... • https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31021 – Unlinkability broken in ursa when verifiers use malicious keys
https://notcve.org/view.php?id=CVE-2022-31021
16 Jan 2024 — Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key is sufficient to meet the unlinkability guarantees of AnonCreds. The Ursa and AnonCreds CL-Signatures implementations always generate a sufficient private key. A malicious issuer could in theory create a custom CL Signature implement... • https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 1CVE-2024-21669 – Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
https://notcve.org/view.php?id=CVE-2024-21669
11 Jan 2024 — Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (L... • https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 1CVE-2023-46132 – Crosslinking transaction attack in hyperledger/fabric
https://notcve.org/view.php?id=CVE-2023-46132
14 Nov 2023 — Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the peers parse the transactions. If a first peer receives a block B and a second peer receives a block identical to B but with the transactions being cr... • https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45196
https://notcve.org/view.php?id=CVE-2022-45196
12 Nov 2022 — Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist. Hyperledger Fabric 2.3 permite a los atacantes provocar una denegación de servicio (caída del pedido) enviando repetidamente un tx de canal diseñado con el mismo nombre de canal. NOTA: el Fabric with Raft oficial evita la explotació... • https://github.com/SmartBFT-Go/fabric/issues/286 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36023 – Remote denial of service in Hyperledger Fabric Gateway
https://notcve.org/view.php?id=CVE-2022-36023
18 Aug 2022 — Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway request and returns an error to the gateway client. There are no known workarounds, users must upgrade to version 2.4.6. Hyperledger Fabric es un marco de libro mayor distribuido de grado empresarial para desarrollar soluciones y apli... • https://github.com/hyperledger/fabric/pull/3572 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31121 – Improper Input Validation in fabric hyperledger
https://notcve.org/view.php?id=CVE-2022-31121
07 Jul 2022 — Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue. • https://github.com/hyperledger/fabric/commit/0f18359493bcbd5f9f9d1a9b05adabfe5da23b06 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-3756
https://notcve.org/view.php?id=CVE-2018-3756
01 Jun 2018 — Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other validating nodes accept them as separate valid signatures. Hyperledger Iroha en versiones v1.0_beta y v1.0.0_beta-1 es vulnerable a una omisión de verificación de firma de transacción y bloqueo en el validador de transacción y bloque... • https://github.com/hyperledger/iroha/releases/tag/v1.0.0_beta-2 • CWE-347: Improper Verification of Cryptographic Signature •