Lucene search

K

DaView Indy, DaVA+, DaOffice Security Vulnerabilities

hackerone
hackerone

Hyperledger: [indy_node]POOL_UPGRADE command injection, Trustee Node can execute command in any other Node`s system.

After I finish my report, I found project this is not part of the bounty program, so I also commit this report. This issue is related to the https://github.com/hyperledger/indy-node. I found some function such as get_latest_pkg_version/_call_upgrade_script has command injection vulnerability. ...

7.4AI Score

2023-02-02 02:44 PM
12
hackerone
hackerone

Hyperledger: POOL_UPGRADE request handler may allow an unauthenticated attacker to remotely execute code on every node in the network.

This issue is related to the https://github.com/hyperledger/indy-node. The issue was found in the indy-node code that handles the write request of type POOL_UPGRADE (in file indy-node/indy_node/server/request_handlers/config_req_handlers/pool_upgrade_handler.py).** The...

8.8CVSS

-0.3AI Score

0.007EPSS

2022-09-20 07:39 AM
27
osv
osv

Hyperledger indy-node vulnerable to denial of service

Impact An attacker can max out the number of client connections allowed by the ledger that was deployed using guidance provided in the indy-node repository, leaving the ledger unable to be used for its intended purpose. The ledger content will not be impacted by the attack, and the ledger will...

7.5CVSS

2.1AI Score

0.001EPSS

2022-09-16 08:28 PM
8
github
github

Hyperledger indy-node vulnerable to denial of service

Impact An attacker can max out the number of client connections allowed by the ledger that was deployed using guidance provided in the indy-node repository, leaving the ledger unable to be used for its intended purpose. The ledger content will not be impacted by the attack, and the ledger will...

7.5CVSS

7.2AI Score

0.001EPSS

2022-09-16 08:28 PM
16
veracode
veracode

Denial Of Service (DOS)

Indy_node is vulnerable to Denial of Service (DOS). An attacker can max out the connections to the ledger, resulting in Denial of Service. This vulnerability exploits the trade-off between resilience and availability, where any attacker firewall mitigation will restrict legitimate users. It is...

7.5CVSS

7.2AI Score

0.001EPSS

2022-09-12 04:30 PM
8
osv
osv

CVE-2022-31006

indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....

7.5CVSS

7.4AI Score

0.001EPSS

2022-09-09 07:15 PM
4
nvd
nvd

CVE-2022-31006

indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....

7.5CVSS

0.001EPSS

2022-09-09 07:15 PM
cve
cve

CVE-2022-31006

indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....

7.5CVSS

7.3AI Score

0.001EPSS

2022-09-09 07:15 PM
65
6
prion
prion

Code injection

indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....

7.5CVSS

7.3AI Score

0.001EPSS

2022-09-09 07:15 PM
4
osv
osv

PYSEC-2022-270

indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....

7.5CVSS

2AI Score

0.001EPSS

2022-09-09 07:15 PM
8
cvelist
cvelist

CVE-2022-31006 Hyperledger Indy DOS vulnerability

indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose....

7.5CVSS

7.5AI Score

0.001EPSS

2022-09-09 07:10 PM
hackerone
hackerone

Hyperledger: DOS validator nodes of blockchain to block external connections

Attack was documented in the in the github repo: https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7 Attack: The attacker sends 500 read requests to each node and opens a new one when holding 500 parallel connections. Every user is able to send read requests since it's....

7.5CVSS

-0.1AI Score

0.001EPSS

2022-09-08 04:37 PM
42
osv
osv

CVE-2022-31020

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

8.8CVSS

8.9AI Score

0.007EPSS

2022-09-06 05:15 PM
6
nvd
nvd

CVE-2022-31020

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

8.8CVSS

0.007EPSS

2022-09-06 05:15 PM
cve
cve

CVE-2022-31020

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

8.8CVSS

8.8AI Score

0.007EPSS

2022-09-06 05:15 PM
64
6
prion
prion

Remote code execution

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

8.8CVSS

8.9AI Score

0.007EPSS

2022-09-06 05:15 PM
2
osv
osv

PYSEC-2022-265

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

8.8CVSS

4.2AI Score

0.007EPSS

2022-09-06 05:15 PM
7
cvelist
cvelist

CVE-2022-31020 Remote code execution in Indy's NODE_UPGRADE transaction

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The pool-upgrade request...

8.8CVSS

9.1AI Score

0.007EPSS

2022-09-06 04:30 PM
veracode
veracode

Remote Code Execution (RCE)

indy-node is vulnerable to remote code execution. The vulnerability exists because the dynamic_validation function of pool_upgrade_handler.py does not properly handle the requests, allowing an attacker to inject and execute malicious code on nodes within the network via the NODE_UPGRADE...

8.8CVSS

9AI Score

0.007EPSS

2022-09-05 04:26 AM
7
osv
osv

Indy's NODE_UPGRADE transaction vulnerable to remote code execution

Impact The pool-upgrade request handler in Indy-Node <=1.12.4 allows an improperly authenticated attacker to remotely execute code on nodes within the network. Network operators are strongly encouraged to upgrade to the latest Indy-Node release >=1.12.5 as soon as possible. Patches The...

8.8CVSS

4.4AI Score

0.007EPSS

2022-09-02 09:55 PM
14
github
github

Indy's NODE_UPGRADE transaction vulnerable to remote code execution

Impact The pool-upgrade request handler in Indy-Node <=1.12.4 allows an improperly authenticated attacker to remotely execute code on nodes within the network. Network operators are strongly encouraged to upgrade to the latest Indy-Node release >=1.12.5 as soon as possible. Patches The...

8.8CVSS

8.8AI Score

0.007EPSS

2022-09-02 09:55 PM
17
osv
osv

Malicious code in indy-vdr-shared (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (100d7d507e1de15d089d8a333266fbd1c2a02baa06348b81ee159fd787510d38) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI Score

2022-07-20 11:08 AM
3
openvas
openvas

SUSE: Security Advisory (SUSE-SU-2016:2887-1)

The remote host is missing an update for...

9.6CVSS

7.1AI Score

0.012EPSS

2021-04-19 12:00 AM
4
openvas
openvas

SUSE: Security Advisory (SUSE-SU-2016:2953-1)

The remote host is missing an update for...

9.6CVSS

7.9AI Score

0.012EPSS

2021-04-19 12:00 AM
2
packetstorm

-0.3AI Score

2021-02-24 12:00 AM
256
osv
osv

CVE-2020-11093

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...

7.5CVSS

7.5AI Score

0.002EPSS

2020-12-24 08:15 PM
2
nvd
nvd

CVE-2020-11093

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...

7.5CVSS

7.5AI Score

0.002EPSS

2020-12-24 08:15 PM
cve
cve

CVE-2020-11093

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...

7.5CVSS

7.5AI Score

0.002EPSS

2020-12-24 08:15 PM
43
8
prion
prion

Design/Logic Flaw

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...

7.5CVSS

7.5AI Score

0.002EPSS

2020-12-24 08:15 PM
2
osv
osv

PYSEC-2020-48

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...

7.5CVSS

3.1AI Score

0.002EPSS

2020-12-24 08:15 PM
11
cvelist
cvelist

CVE-2020-11093 Authorization bypass in Hyperledger Indy

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the...

7.5CVSS

7.5AI Score

0.002EPSS

2020-12-24 08:05 PM
openbugbounty
openbugbounty

indy-golf.com Cross Site Scripting vulnerability OBB-1401433

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence....

0.1AI Score

2020-10-12 12:48 PM
6
nvd
nvd

CVE-2020-7816

A vulnerability in the JPEG image parsing module in DaView Indy, DaVa+, DaOffice softwares could allow an unauthenticated, remote attacker to cause an arbitrary code execution on an affected device.nThe vulnerability is due to a stack overflow read. An attacker could exploit this vulnerability by.....

7.8CVSS

0.003EPSS

2020-06-30 02:15 PM
cve
cve

CVE-2020-7816

A vulnerability in the JPEG image parsing module in DaView Indy, DaVa+, DaOffice softwares could allow an unauthenticated, remote attacker to cause an arbitrary code execution on an affected device.nThe vulnerability is due to a stack overflow read. An attacker could exploit this vulnerability by.....

7.8CVSS

8AI Score

0.003EPSS

2020-06-30 02:15 PM
22
prion
prion

Stack overflow

A vulnerability in the JPEG image parsing module in DaView Indy, DaVa+, DaOffice softwares could allow an unauthenticated, remote attacker to cause an arbitrary code execution on an affected device.nThe vulnerability is due to a stack overflow read. An attacker could exploit this vulnerability by.....

7.8CVSS

8AI Score

0.003EPSS

2020-06-30 02:15 PM
1
cvelist
cvelist

CVE-2020-7816

A vulnerability in the JPEG image parsing module in DaView Indy, DaVa+, DaOffice softwares could allow an unauthenticated, remote attacker to cause an arbitrary code execution on an affected device.nThe vulnerability is due to a stack overflow read. An attacker could exploit this vulnerability by.....

7CVSS

8AI Score

0.003EPSS

2020-06-30 12:00 AM
veracode
veracode

Denial Of Service (DoS)

indy_plenum is vulnerable to denial of service (DoS). The vulnerability exists due to the lack of consensus while validating write transaction, causing unbounded retries upon...

7.5CVSS

2.9AI Score

0.002EPSS

2020-06-12 12:33 AM
6
osv
osv

CVE-2020-11090

In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...

7.5CVSS

7.4AI Score

0.002EPSS

2020-06-11 12:15 AM
6
cve
cve

CVE-2020-11090

In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...

7.5CVSS

7.2AI Score

0.002EPSS

2020-06-11 12:15 AM
42
nvd
nvd

CVE-2020-11090

In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...

7.5CVSS

0.002EPSS

2020-06-11 12:15 AM
osv
osv

PYSEC-2020-47

In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...

7.5CVSS

3.3AI Score

0.002EPSS

2020-06-11 12:15 AM
5
prion
prion

Code injection

In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...

7.5CVSS

7.3AI Score

0.002EPSS

2020-06-11 12:15 AM
1
cvelist
cvelist

CVE-2020-11090 Uncontrolled Resource Consumption in Indy Node

In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down...

7.5CVSS

7.3AI Score

0.002EPSS

2020-06-11 12:05 AM
osv
osv

Uncontrolled Resource Consumption in Indy Node

Summary Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. Discovery On May 18, Evernym's monitoring of Sovrin StagingNet....

7.5CVSS

-0.1AI Score

0.002EPSS

2020-06-11 12:04 AM
9
github
github

Uncontrolled Resource Consumption in Indy Node

Summary Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. Discovery On May 18, Evernym's monitoring of Sovrin StagingNet....

7.5CVSS

-0.1AI Score

0.002EPSS

2020-06-11 12:04 AM
34
openbugbounty
openbugbounty

indy-golf.com Cross Site Scripting vulnerability

Open Bug Bounty ID: OBB-1178496 Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website...

AI Score

2020-05-30 01:49 PM
6
openbugbounty
openbugbounty

thisismoney.co.uk Cross Site Scripting vulnerability

Open Bug Bounty ID: OBB-1066736 Security Researcher 4N_CURZE Helped patch 1543 vulnerabilities Received 7 Coordinated Disclosure badges Received 13 recommendations , a holder of 7 badges for responsible and coordinated disclosure, found a security vulnerability affecting thisismoney.co.uk website.....

AI Score

2020-01-13 12:11 PM
8
securelist
securelist

Octopus-infested seas of Central Asia

For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and...

0.5AI Score

2018-10-15 10:00 AM
60
hackapp
hackapp

DaOffice Chat - Customized SSL, Dangerous filesystem permissions, MIT license vulnerabilities

HackApp vulnerability scanner discovered that application DaOffice Chat published at the 'play' market has multiple...

0.3AI Score

2018-01-24 07:36 PM
485
openvas
openvas

HTTP Banner Evaluation

This script gets the HTTP banner and stores some values in the KB related to...

7.2AI Score

2017-02-21 12:00 AM
211
Total number of security vulnerabilities90