
We found results for “”
CVE-2022-31020
Good to know:


Date: September 6, 2022
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the "pool-upgrade" request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The "pool-upgrade" request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure "auth_rules" to prevent new DIDs from being written to the ledger until the network can be upgraded.
Language: Python
Severity Score
Related Resources (7)
Severity Score
Top Fix

CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | LOW |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |