CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32657 – Hydra has persistent XSS vulnerability serving HTML build outputs
https://notcve.org/view.php?id=CVE-2024-32657
22 Apr 2024 — Hydra is a Continuous Integration service for Nix based projects. Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests. The abused feature allows Nix builds to specify files that Hydra serves to clients. One use of this functionality is serving NixOS `.iso` files. The issue is only with html files served by Hydra. • https://github.com/NixOS/hydra/commit/b72528be5074f3e62e9ae2c2ae8ef9c07a0b4dd3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-42449 – Malicious head initialiser can extract PTs from control of Hydra scripts, leading to locked participant commits or spoofed commits
https://notcve.org/view.php?id=CVE-2023-42449
04 Oct 2023 — Hydra is the two-layer scalability solution for Cardano. Prior to version 0.13.0, it is possible for a malicious head initializer to extract one or more PTs for the head they are initializing due to incorrect data validation logic in the head token minting policy which then results in an flawed check for burning the head ST in the `initial` validator. This is possible because it is not checked in `HeadTokens.hs` that the datums of the outputs at the `initial` validator are equal to the real head ID, and it ... • https://github.com/input-output-hk/hydra/blob/1e13b60a7b21c5ccd6c36e3cf220547f5d443cef/hydra-node/src/Hydra/Chain/Direct/Tx.hs#L645-L761 • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42448 – Hydra's contestation period in head datum can be modified during Close transaction, allowing malicious participant to freely modify the contestation deadline
https://notcve.org/view.php?id=CVE-2023-42448
04 Oct 2023 — Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, the specification states that the contestation period in the datum of the UTxO at the head validator must stay unchanged as the state progresses from Open to Closed (Close transaction), but no such check appears to be performed in the `checkClose` function of the head validator. This would allow a malicious participant to modify the contestation deadline of the head to either allow them to fanout the head without giving anothe... • https://github.com/input-output-hk/hydra/blob/master/CHANGELOG.md#0130---2023-10-03 • CWE-20: Improper Input Validation CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38701 – Hydra's committed UTxOs at Commit validator and UTxOs at Initial validator can be spent arbitrarily by anyone
https://notcve.org/view.php?id=CVE-2023-38701
04 Oct 2023 — Hydra is the layer-two scalability solution for Cardano. Users of the Hydra head protocol send the UTxOs they wish to commit into the Hydra head first to the `commit` validator, where they remain until they are either collected into the `head` validator or the protocol initialisation is aborted and the value in the committed UTxOs is returned to the users who committed them. Prior to version 0.12.0, the `commit` validator contains a flawed check when the `ViaAbort` redeemer is used, which allows any user to... • https://github.com/input-output-hk/hydra/blob/master/CHANGELOG.md#0120---2023-08-18 • CWE-20: Improper Input Validation •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42806 – Snapshot signature not including HeadID will allow replay attacks
https://notcve.org/view.php?id=CVE-2023-42806
21 Sep 2023 — Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, not signing and verifying `$\mathsf{cid}$` allows an attacker (which must be a participant of this head) to use a snapshot from an old head instance with the same participants to close the head or contest the state with it. This can lead to an incorrect distribution of value (= value extraction attack; hard, but possible) or prevent the head to finalize because the value available is not consistent with the closed utxo state (... • https://github.com/input-output-hk/hydra/blob/ec6c7a2ab651462228475d0b34264e9a182c22bb/hydra-node/src/Hydra/HeadLogic.hs#L357 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5300 – Disallow replay of `private_key_jwt` by blacklisting JTIs in Hydra
https://notcve.org/view.php?id=CVE-2020-5300
06 Apr 2020 — In Hydra (an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method 'private_key_jwt' [1], OpenId specification says the following about assertion `jti`: "A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties". Hydra does not check the uniqueness of this `jti` value. Exploiting this vulne... • https://github.com/ory/hydra/commit/700d17d3b7d507de1b1d459a7261d6fb2571ebe3 • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17502
https://notcve.org/view.php?id=CVE-2019-17502
12 Oct 2019 — Hydra through 0.1.8 has a NULL pointer dereference and daemon crash when processing POST requests that lack a Content-Length header. read.c, request.c, and util.c contribute to this. The process_header_end() function calls boa_atoi(), which ultimately calls atoi() on a NULL pointer. Hydra versiones hasta 0.1.8, presenta una desreferencia del puntero NULL y bloqueo del demonio cuando se procesan peticiones POST que carecen de un encabezado Content-Length. Los archivos read.c, request.c y util.c contribuyen a... • http://hydra.hellug.gr • CWE-476: NULL Pointer Dereference •
CVSS: 6.1EPSS: 0%CPEs: 129EXPL: 2CVE-2019-8400
https://notcve.org/view.php?id=CVE-2019-8400
17 Feb 2019 — ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter. ORY Hydra, en versiones anteriores a la v1.0.0-rc.3+oryOS.9, tiene Cross-Site Scripting (XSS) reflejado mediante el parámetro error_hint en oauth2/fallbacks/error error_hint. • https://drive.google.com/file/d/1-25expUYVfK6vsiCmEabUCuelOP7aUDj/view?usp=drivesdk • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •