Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2022-31020
HistorySep 06, 2022 - 5:15 p.m.

CVE-2022-31020

2022-09-0617:15:08
CWE-20
CWE-287
[email protected]
web.nvd.nist.gov
4
indy node
remote code execution
version 1.12.4
authentication
network security
vulnerability
ledger security
workaround
auth_rules
dids

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.008

Percentile

81.5%

JSON

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure auth_rules to prevent new DIDs from being written to the ledger until the network can be upgraded.

Affected configurations

Nvd
Node
linuxfoundationindy-nodeRange1.12.4
VendorProductVersionCPE
linuxfoundationindy-node*cpe:2.3:a:linuxfoundation:indy-node:*:*:*:*:*:*:*:*

Related

github 1
osv 3
cve 1
hackerone 1
cvelist 1
prion 1
veracode 1
github
github
Indy's NODE_UPGRADE transaction vulnerable to remote code execution
2022-09-02 21:55:20
osv
osv
CVE-2022-31020
2022-09-06 17:15:08
PYSEC-2022-265
2022-09-06 17:15:00
Indy's NODE_UPGRADE transaction vulnerable to remote code execution
2022-09-02 21:55:20
cve
cve
CVE-2022-31020
2022-09-06 17:15:08
hackerone
hackerone
Hyperledger: POOL_UPGRADE request handler may allow an unauthenticated attacker to remotely execute code on every node in the network.
2022-09-20 07:39:34
cvelist
cvelist
CVE-2022-31020 Remote code execution in Indy's NODE_UPGRADE transaction
2022-09-06 16:30:19
prion
prion
Remote code execution
2022-09-06 17:15:00
veracode
veracode
Remote Code Execution (RCE)
2022-09-05 04:26:51

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.008

Percentile

81.5%

JSON
Related for NVD:CVE-2022-31020
github1osv3cve1hackerone1cvelist1prion1veracode1