CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31006 – Hyperledger Indy DOS vulnerability
https://notcve.org/view.php?id=CVE-2022-31006
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. • https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3 https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31020 – Remote code execution in Indy's NODE_UPGRADE transaction
https://notcve.org/view.php?id=CVE-2022-31020
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. • https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5 https://github.com/hyperledger/indy-node/releases/tag/v1.12.5 https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11093 – Authorization bypass in Hyperledger Indy
https://notcve.org/view.php?id=CVE-2020-11093
Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the ledger. Updating a DID with a nym transaction will be written to the ledger if neither ROLE or VERKEY are being changed, regardless of sender. A malicious DID with no particular role can ask an update for another DID (but cannot modify its verkey or role). This is bad because 1) Any DID can write a nym transaction to the ledger (i.e., any DID can spam the ledger with nym transactions), 2) Any DID can change any other DID's alias, 3) The update transaction modifies the ledger metadata associated with a DID. • https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1124 https://github.com/hyperledger/indy-node/blob/master/docs/source/auth_rules.md https://github.com/hyperledger/indy-node/commit/55056f22c83b7c3520488b615e1577e0f895d75a https://github.com/hyperledger/indy-node/security/advisories/GHSA-wh2w-39f4-rpv2 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11090 – Uncontrolled Resource Consumption in Indy Node
https://notcve.org/view.php?id=CVE-2020-11090
In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3. • https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123 https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c https://pypi.org/project/indy-node/1.12.3 • CWE-400: Uncontrolled Resource Consumption •