CVE-2022-31020 : Indy Node is the server portion of a distributed ledger purpose-built for decent

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded.

Published 2022-09-06 17:15:08

Updated 2022-09-13 14:23:15

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Input validationExecute codeBypassGain privilege

Products affected by CVE-2022-31020

Linuxfoundation » Indy-node
Versions up to, including, (<=) 1.12.4
cpe:2.3:a:linuxfoundation:indy-node:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-31020

EPSS FAQ

1.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 76 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-31020

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-31020

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: security-advisories@github.com (Primary)
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-31020

https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5

Merge pull request from GHSA-r6v9-p59m-gj2p · hyperledger/indy-node@fe50747 · GitHub
Patch;Third Party Advisory
https://github.com/hyperledger/indy-node/releases/tag/v1.12.5

Release v1.12.5 · hyperledger/indy-node · GitHub
Release Notes;Third Party Advisory
https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p

Remote code execution in Indy-Node's pool-upgrade transaction · Advisory · hyperledger/indy-node · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-31020

Products affected by CVE-2022-31020

Exploit prediction scoring system (EPSS) score for CVE-2022-31020

CVSS scores for CVE-2022-31020

CWE ids for CVE-2022-31020

References for CVE-2022-31020