9.9
CVE-2024-21669
- EPSS 0.14%
- Veröffentlicht 11.01.2024 06:15:44
- Zuletzt bearbeitet 21.11.2024 08:54:50
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginHyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Hyperledger ≫ Aries Cloud Agent SwPlatformpython Version >= 0.7.0 < 0.10.5
Hyperledger ≫ Aries Cloud Agent Version0.11.0 Updaterc1 SwPlatformpython
Hyperledger ≫ Aries Cloud Agent Version0.11.0 Updaterc2 SwPlatformpython
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.341 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 9.9 | 3.1 | 6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.