GoogleOSV:GO-2022-1117Insufficient verification of proofs in github.com/codenotary/immudb
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
48.9%
In certain scenarios, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value.
This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/codenotary/immudb | lt | 1.4.1 |
References
github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81
github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6
github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8
github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
48.9%