8.1
CVE-2026-40070
- EPSS 0.14%
- Veröffentlicht 09.04.2026 18:17:03
- Zuletzt bearbeitet 24.04.2026 17:03:39
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginbsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Sgbett ≫ Bsv-wallet SwPlatformruby Version >= 0.1.2 < 0.3.4
Sgbett ≫ Bsv Ruby Sdk SwPlatformruby Version >= 0.3.1 < 0.8.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.033 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc
https://github.com/sgbett/bsv-ruby-sdk/issues/305
https://github.com/sgbett/bsv-ruby-sdk/pull/306
https://brc.dev/52
https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j