Workflow

PyPi: Aries-Cloudagent

CVE-2024-21669

Safety vulnerability ID: 64225

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jan 11, 2024 Updated at May 07, 2024
Scan your Python projects for vulnerabilities →

Advisory

Aries-cloudagent is affected by a Insufficient Verification of Data Authenticity vulnerability. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation 'document.proof' was not factored into the final 'verified' value ('true'/'false') on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.
https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm

Affected package

aries-cloudagent

Latest version: 0.12.1

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments.

Affected versions

Fixed versions

Vulnerability changelog

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5. See CVE-2024-21669.


MISC:https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293: https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293
MISC:https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2: https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2
MISC:https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5: https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5
MISC:https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0: https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0
MISC:https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm: https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 8.8

CVSS v3 Details

HIGH 8.8
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
LOW
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH