CVE-2022-31020
September 06, 2022
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the "pool-upgrade" request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The "pool-upgrade" request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure "auth_rules" to prevent new DIDs from being written to the ledger until the network can be upgraded.
Affected Packages
indy-node (PYTHON):
Affected version(s) >=0.0.1.dev38 <1.12.5rc1Fix Suggestion:
Update to version 1.12.5rc1Related ResourcesĀ (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
EPSS
Base Score:
2.58
