DaView Indy, DaVA+, DaOffice Security Vulnerabilities
After I finish my report, I found project this is not part of the bounty program, so I also commit this report. This issue is related to the https://github.com/hyperledger/indy-node. I found some function such as get_latest_pkg_version/_call_upgrade_script has command injection vulnerability. ...
7.4AI Score
This issue is related to the https://github.com/hyperledger/indy-node. The issue was found in the indy-node code that handles the write request of type POOL_UPGRADE (in file indy-node/indy_node/server/request_handlers/config_req_handlers/pool_upgrade_handler.py).** The...
8.8CVSS
-0.3AI Score
0.008EPSS
Hyperledger indy-node vulnerable to denial of service
Impact An attacker can max out the number of client connections allowed by the ledger that was deployed using guidance provided in the indy-node repository, leaving the ledger unable to be used for its intended purpose. The ledger content will not be impacted by the attack, and the ledger will...
7.5CVSS
2.1AI Score
0.001EPSS
Hyperledger indy-node vulnerable to denial of service
Impact An attacker can max out the number of client connections allowed by the ledger that was deployed using guidance provided in the indy-node repository, leaving the ledger unable to be used for its intended purpose. The ledger content will not be impacted by the attack, and the ledger will...
7.5CVSS
7.2AI Score
0.001EPSS
Indy_node is vulnerable to Denial of Service (DOS). An attacker can max out the connections to the ledger, resulting in Denial of Service. This vulnerability exploits the trade-off between resilience and availability, where any attacker firewall mitigation will restrict legitimate users. It is...
7.5CVSS
7.2AI Score
0.001EPSS
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....
7.5CVSS
7.4AI Score
0.001EPSS
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....
7.5CVSS
0.001EPSS
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....
7.5CVSS
7.3AI Score
0.001EPSS
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....
7.5CVSS
7.3AI Score
0.001EPSS
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....
7.5CVSS
2AI Score
0.001EPSS
CVE-2022-31006 Hyperledger Indy DOS vulnerability
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....
7.5CVSS
7.5AI Score
0.001EPSS
Hyperledger: DOS validator nodes of blockchain to block external connections
Attack was documented in the in the github repo: https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7 Attack: The attacker sends 500 read requests to each node and opens a new one when holding 500 parallel connections. Every user is able to send read requests since it's....
7.5CVSS
-0.1AI Score
0.001EPSS
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...
8.8CVSS
8.8AI Score
0.008EPSS
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...
8.8CVSS
8.9AI Score
0.008EPSS
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...
8.8CVSS
0.008EPSS
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...
8.8CVSS
8.9AI Score
0.008EPSS
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...
8.8CVSS
4.2AI Score
0.008EPSS
CVE-2022-31020 Remote code execution in Indy's NODE_UPGRADE transaction
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...
8.8CVSS
9.1AI Score
0.008EPSS
indy-node is vulnerable to remote code execution. The vulnerability exists because the dynamic_validation function of pool_upgrade_handler.py does not properly handle the requests, allowing an attacker to inject and execute malicious code on nodes within the network via the NODE_UPGRADE...
8.8CVSS
9AI Score
0.008EPSS
Indy's NODE_UPGRADE transaction vulnerable to remote code execution
Impact The pool-upgrade request handler in Indy-Node <=1.12.4 allows an improperly authenticated attacker to remotely execute code on nodes within the network. Network operators are strongly encouraged to upgrade to the latest Indy-Node release >=1.12.5 as soon as possible. Patches The...
8.8CVSS
4.4AI Score
0.008EPSS
Indy's NODE_UPGRADE transaction vulnerable to remote code execution
Impact The pool-upgrade request handler in Indy-Node <=1.12.4 allows an improperly authenticated attacker to remotely execute code on nodes within the network. Network operators are strongly encouraged to upgrade to the latest Indy-Node release >=1.12.5 as soon as possible. Patches The...
8.8CVSS
8.8AI Score
0.008EPSS
Malicious code in indy-vdr-shared (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (100d7d507e1de15d089d8a333266fbd1c2a02baa06348b81ee159fd787510d38) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
9.6CVSS
7.9AI Score
0.012EPSS
9.6CVSS
7.1AI Score
0.012EPSS
-0.3AI Score
Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...
7.5CVSS
7.5AI Score
0.002EPSS
Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...
7.5CVSS
7.5AI Score
0.002EPSS
Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...
7.5CVSS
7.5AI Score
0.002EPSS
Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...
7.5CVSS
3.1AI Score
0.002EPSS
Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...
7.5CVSS
7.5AI Score
0.002EPSS
CVE-2020-11093 Authorization bypass in Hyperledger Indy
Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...
7.5CVSS
7.5AI Score
0.002EPSS
indy-golf.com Cross Site Scripting vulnerability OBB-1401433
Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:       a. verified the vulnerability and confirmed its existence;       b. notified the website operator about its existence....
0.1AI Score
A vulnerability in the JPEG image parsing module in DaView Indy, DaVa+, DaOffice softwares could allow an unauthenticated, remote attacker to cause an arbitrary code execution on an affected device.nThe vulnerability is due to a stack overflow read. An attacker could exploit this vulnerability by.....
7.8CVSS
0.003EPSS
A vulnerability in the JPEG image parsing module in DaView Indy, DaVa+, DaOffice softwares could allow an unauthenticated, remote attacker to cause an arbitrary code execution on an affected device.nThe vulnerability is due to a stack overflow read. An attacker could exploit this vulnerability by.....
7.8CVSS
8AI Score
0.003EPSS
A vulnerability in the JPEG image parsing module in DaView Indy, DaVa+, DaOffice softwares could allow an unauthenticated, remote attacker to cause an arbitrary code execution on an affected device.nThe vulnerability is due to a stack overflow read. An attacker could exploit this vulnerability by.....
7.8CVSS
8AI Score
0.003EPSS
A vulnerability in the JPEG image parsing module in DaView Indy, DaVa+, DaOffice softwares could allow an unauthenticated, remote attacker to cause an arbitrary code execution on an affected device.nThe vulnerability is due to a stack overflow read. An attacker could exploit this vulnerability by.....
7CVSS
8AI Score
0.003EPSS
indy_plenum is vulnerable to denial of service (DoS). The vulnerability exists due to the lack of consensus while validating write transaction, causing unbounded retries upon...
7.5CVSS
2.9AI Score
0.002EPSS
In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...
7.5CVSS
7.2AI Score
0.002EPSS
In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...
7.5CVSS
7.4AI Score
0.002EPSS
In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...
7.5CVSS
0.002EPSS
In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...
7.5CVSS
3.3AI Score
0.002EPSS
In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...
7.5CVSS
7.3AI Score
0.002EPSS
CVE-2020-11090 Uncontrolled Resource Consumption in Indy Node
In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...
7.5CVSS
7.3AI Score
0.002EPSS
Uncontrolled Resource Consumption in Indy Node
Summary Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. Discovery On May 18, Evernym's monitoring of Sovrin StagingNet....
7.5CVSS
-0.1AI Score
0.002EPSS
Uncontrolled Resource Consumption in Indy Node
Summary Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. Discovery On May 18, Evernym's monitoring of Sovrin StagingNet....
7.5CVSS
-0.1AI Score
0.002EPSS
indy-golf.com Cross Site Scripting vulnerability
Open Bug Bounty ID: OBB-1178496 Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:       a. verified the vulnerability and confirmed its existence;       b. notified the website...
AI Score
thisismoney.co.uk Cross Site Scripting vulnerability
Open Bug Bounty ID: OBB-1066736 Security Researcher 4N_CURZE Helped patch 1543 vulnerabilities Received 7 Coordinated Disclosure badges Received 13 recommendations , a holder of 7 badges for responsible and coordinated disclosure, found a security vulnerability affecting thisismoney.co.uk website.....
AI Score
Octopus-infested seas of Central Asia
For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and...
0.5AI Score
DaOffice Chat - Customized SSL, Dangerous filesystem permissions, MIT license vulnerabilities
HackApp vulnerability scanner discovered that application DaOffice Chat published at the 'play' market has multiple...
0.3AI Score
This script gets the HTTP banner and stores some values in the KB related to...
7.2AI Score