Vulnerability-Lookup

CVE-2022-36111 (GCVE-0-2022-36111)

Vulnerability from cvelistv5 – Published: 2022-11-23 00:00 – Updated: 2025-04-22 16:02

Title

immundb has insufficient verification of data authenticity

Summary

immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

CWE

CWE-345 - Insufficient Verification of Data Authenticity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/codenotary/immudb/releases/tag…
	https://github.com/codenotary/immudb/security/adv…
	https://github.com/codenotary/immudb/tree/master/…
	https://pkg.go.dev/github.com/codenotary/immudb/p…

Impacted products

	Vendor	Product	Version
	codenotary	immudb	Affected: < 1.4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:52:00.524Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-36111",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:41:23.490260Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T16:02:01.177Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "immudb",
          "vendor": "codenotary",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-23T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"
        },
        {
          "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
        },
        {
          "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
        },
        {
          "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"
        }
      ],
      "source": {
        "advisory": "GHSA-672p-m5jq-mrh8",
        "discovery": "UNKNOWN"
      },
      "title": "immundb has insufficient verification of data authenticity"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-36111",
    "datePublished": "2022-11-23T00:00:00.000Z",
    "dateReserved": "2022-07-15T00:00:00.000Z",
    "dateUpdated": "2025-04-22T16:02:01.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-36111",
      "date": "2026-05-09",
      "epss": "0.00119",
      "percentile": "0.30407"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:codenotary:immudb:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.4.1\", \"matchCriteriaId\": \"0EA9B368-DD84-4E51-ABFB-7FDEF2E9807E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.\"}, {\"lang\": \"es\", \"value\": \"immudb es una base de datos con prueba y verificaci\\u00f3n criptogr\\u00e1fica incorporada. En versiones anteriores a la 1.4.1, un servidor immudb malicioso puede proporcionar una prueba falsificada que ser\\u00e1 aceptada por el SDK del cliente al firmar una transacci\\u00f3n falsificada que reemplaza la genuina. Esta situaci\\u00f3n no puede ser provocada por un servidor immudb genuino y requiere que el cliente realice una lista espec\\u00edfica de operaciones verificadas que resultan en la aceptaci\\u00f3n de un valor de estado no v\\u00e1lido. Esta vulnerabilidad solo afecta a los SDK del cliente immudb; el servidor immudb en s\\u00ed no se ve afectado por esta vulnerabilidad. Este problema se solucion\\u00f3 en la versi\\u00f3n 1.4.1.\"}]",
      "id": "CVE-2022-36111",
      "lastModified": "2024-11-21T07:12:24.857",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 3.6}]}",
      "published": "2022-11-23T18:15:11.787",
      "references": "[{\"url\": \"https://github.com/codenotary/immudb/releases/tag/v1.4.1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/codenotary/immudb/releases/tag/v1.4.1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-345\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-36111\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-23T18:15:11.787\",\"lastModified\":\"2024-11-21T07:12:24.857\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.\"},{\"lang\":\"es\",\"value\":\"immudb es una base de datos con prueba y verificaci\u00f3n criptogr\u00e1fica incorporada. En versiones anteriores a la 1.4.1, un servidor immudb malicioso puede proporcionar una prueba falsificada que ser\u00e1 aceptada por el SDK del cliente al firmar una transacci\u00f3n falsificada que reemplaza la genuina. Esta situaci\u00f3n no puede ser provocada por un servidor immudb genuino y requiere que el cliente realice una lista espec\u00edfica de operaciones verificadas que resultan en la aceptaci\u00f3n de un valor de estado no v\u00e1lido. Esta vulnerabilidad solo afecta a los SDK del cliente immudb; el servidor immudb en s\u00ed no se ve afectado por esta vulnerabilidad. Este problema se solucion\u00f3 en la versi\u00f3n 1.4.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:codenotary:immudb:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.4.1\",\"matchCriteriaId\":\"0EA9B368-DD84-4E51-ABFB-7FDEF2E9807E\"}]}]}],\"references\":[{\"url\":\"https://github.com/codenotary/immudb/releases/tag/v1.4.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/codenotary/immudb/releases/tag/v1.4.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"immundb has insufficient verification of data authenticity\", \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-11-23T00:00:00.000Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.\"}], \"affected\": [{\"vendor\": \"codenotary\", \"product\": \"immudb\", \"versions\": [{\"version\": \"\u003c 1.4.1\", \"status\": \"affected\"}]}], \"references\": [{\"url\": \"https://github.com/codenotary/immudb/releases/tag/v1.4.1\"}, {\"url\": \"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8\"}, {\"url\": \"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake\"}, {\"url\": \"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\"}}], \"problemTypes\": [{\"descriptions\": [{\"type\": \"CWE\", \"lang\": \"en\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\", \"cweId\": \"CWE-345\"}]}], \"source\": {\"advisory\": \"GHSA-672p-m5jq-mrh8\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T09:52:00.524Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/codenotary/immudb/releases/tag/v1.4.1\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-36111\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:41:23.490260Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:41:25.343Z\"}}]}",
      "cveMetadata": "{\"state\": \"PUBLISHED\", \"cveId\": \"CVE-2022-36111\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-22T16:02:01.177Z\", \"dateReserved\": \"2022-07-15T00:00:00.000Z\", \"datePublished\": \"2022-11-23T00:00:00.000Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-672P-M5JQ-MRH8

Vulnerability from github – Published: 2022-11-21 20:38 – Updated: 2024-05-20 21:34

Summary

Insufficient Verification of Proofs generated by the immudb server in client SDK.

Details

Impact

In certain scenario a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value.

This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability.

Detailed description

immudb uses Merkle Tree enhanced with additional linear part to perform consistency proofs between two transactions. The linear part is built from the last leaf node of the Merkle Tree compensating for transactions that were not yet consumed by the Merkle Tree calculation.

The Merkle Tree part is then used to perform proofs for things that are in transaction range covered by the Merkle Tree where the linear part is used to check those that are not yet in the Merkle Tree.

When doing consistency checks between two immudb states, the linear proof part is not fully checked. In fact only the first (last Merkle Tree leaf) and the last (current DB state value) are checked against new Merkle Tree without ensuring that elements in the middle of that chain are correctly added as Merkle Tree leafs.

This lack of check means that the database can present different set of hashes on the linear proof part to what would later be used once those become part of the Merkle Tree. This property can be exploited by the database to expose two different transaction entries depending on the other transaction that the user requested consistency proof for.

In practice this could lead to a following scenario:

a client requests a verified write operation
the server responds with a proof for the transaction
client stores the state value retrieved from the server and expects it to be a confirmation of that write and all the history of the database before that transaction
a series of validated read / write operations is performed by the client, each accompanied by a successfully validated consistency proof and update of the client state
the client requests verified get operation on the transaction it has written before (and that was verified with a proof from the server)
the server replies with a completely different transaction that can be properly validated according to the currently stored db state on the client side

Patches

The following Go SDK versions is not vulnerable:

SDK	Version
go	1.4.1

Workarounds

Invalid proofs can not be generated in a normal immudb server and will be detected by a genuine replica server. To ensure that the server does not produce invalid proofs and to check that the history presented by the server does not contain falsified transactions, one should run a genuine immudb replica server in a safe environment and fully synchronize all databases with the primary.

References

https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake

For more information

If you have any questions or comments about this advisory:

Open a discussion in immudb Discussions
Email us at immudb-security@codenotary.com

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/codenotary/immudb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-21T20:38:39Z",
    "nvd_published_at": "2022-11-23T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn certain scenario a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value.\n\nThis vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability.\n\n### Detailed description\n\nimmudb uses Merkle Tree enhanced with additional linear part to perform consistency proofs between two transactions. The linear part is built from the last leaf node of the Merkle Tree compensating for transactions that were not yet consumed by the Merkle Tree calculation.\n\nThe Merkle Tree part is then used to perform proofs for things that are in transaction range covered by the Merkle Tree where the linear part is used to check those that are not yet in the Merkle Tree.\n\nWhen doing consistency checks between two immudb states, the linear proof part is not fully checked. In fact only the first (last Merkle Tree leaf) and the last (current DB state value) are checked against new Merkle Tree without ensuring that elements in the middle of that chain are correctly added as Merkle Tree leafs.\n\nThis lack of check means that the database can present different set of hashes on the linear proof part to what would later be used once those become part of the Merkle Tree. This property can be exploited by the database to expose two different transaction entries depending on the other transaction that the user requested consistency proof for.\n\nIn practice this could lead to a following scenario:\n\n* a client requests a verified write operation\n* the server responds with a proof for the transaction\n* client stores the state value retrieved from the server and expects it to be a confirmation of that write and all the history of the database before that transaction\n* a series of validated read / write operations is performed by the client, each accompanied by a successfully validated consistency proof and update of the client state\n* the client requests verified get operation on the transaction it has written before (and that was verified with a proof from the server)\n* the server replies with a completely different transaction that can be properly validated according to the currently stored db state on the client side\n\n### Patches\n\nThe following Go SDK versions is not vulnerable:\n\n| **SDK** | **Version** |\n|-------|------------|\n| [go](pkg.go.dev/github.com/codenotary/immudb/pkg/client) | 1.4.1 |\n\n### Workarounds\n\nInvalid proofs can not be generated in a normal immudb server and will be detected by a genuine replica server.\nTo ensure that the server does not produce invalid proofs and to check that the history presented by the server\ndoes not contain falsified transactions, one should run a genuine immudb replica server in a safe environment\nand fully synchronize all databases with the primary.\n\n### References\n\n* https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open a discussion in [immudb Discussions](https://github.com/codenotary/immudb/discussions/new)\n* Email us at [immudb-security@codenotary.com](mailto:immudb-security@codenotary.com)\n",
  "id": "GHSA-672p-m5jq-mrh8",
  "modified": "2024-05-20T21:34:49Z",
  "published": "2022-11-21T20:38:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36111"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codenotary/immudb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Verification of Proofs generated by the immudb server in client SDK."
}

FKIE_CVE-2022-36111

Vulnerability from fkie_nvd - Published: 2022-11-23 18:15 - Updated: 2024-11-21 07:12

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/codenotary/immudb/releases/tag/v1.4.1	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake	Exploit, Third Party Advisory
security-advisories@github.com	https://pkg.go.dev/github.com/codenotary/immudb/pkg/client	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/codenotary/immudb/releases/tag/v1.4.1	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://pkg.go.dev/github.com/codenotary/immudb/pkg/client	Third Party Advisory

Impacted products

	Vendor	Product	Version
	codenotary	immudb	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:codenotary:immudb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0EA9B368-DD84-4E51-ABFB-7FDEF2E9807E",
              "versionEndExcluding": "1.4.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."
    },
    {
      "lang": "es",
      "value": "immudb es una base de datos con prueba y verificaci\u00f3n criptogr\u00e1fica incorporada. En versiones anteriores a la 1.4.1, un servidor immudb malicioso puede proporcionar una prueba falsificada que ser\u00e1 aceptada por el SDK del cliente al firmar una transacci\u00f3n falsificada que reemplaza la genuina. Esta situaci\u00f3n no puede ser provocada por un servidor immudb genuino y requiere que el cliente realice una lista espec\u00edfica de operaciones verificadas que resultan en la aceptaci\u00f3n de un valor de estado no v\u00e1lido. Esta vulnerabilidad solo afecta a los SDK del cliente immudb; el servidor immudb en s\u00ed no se ve afectado por esta vulnerabilidad. Este problema se solucion\u00f3 en la versi\u00f3n 1.4.1."
    }
  ],
  "id": "CVE-2022-36111",
  "lastModified": "2024-11-21T07:12:24.857",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-23T18:15:11.787",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GSD-2022-36111

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-36111

Aliases

CVE-2022-36111

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-36111",
    "description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
    "id": "GSD-2022-36111"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-36111"
      ],
      "details": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
      "id": "GSD-2022-36111",
      "modified": "2023-12-13T01:19:21.870250Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-36111",
        "STATE": "PUBLIC",
        "TITLE": "immundb has insufficient verification of data authenticity"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "immudb",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.4.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "codenotary"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-345: Insufficient Verification of Data Authenticity"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/codenotary/immudb/releases/tag/v1.4.1",
            "refsource": "MISC",
            "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"
          },
          {
            "name": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
            "refsource": "CONFIRM",
            "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
          },
          {
            "name": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
            "refsource": "MISC",
            "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
          },
          {
            "name": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
            "refsource": "MISC",
            "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-672p-m5jq-mrh8",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv1.4.1",
          "affected_versions": "All versions before 1.4.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-345",
            "CWE-937"
          ],
          "date": "2023-02-14",
          "description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
          "fixed_versions": [
            "v1.4.1"
          ],
          "identifier": "CVE-2022-36111",
          "identifiers": [
            "GHSA-672p-m5jq-mrh8",
            "CVE-2022-36111"
          ],
          "not_impacted": "All versions starting from 1.4.1",
          "package_slug": "go/github.com/codenotary/immudb",
          "pubdate": "2022-11-21",
          "solution": "Upgrade to version 1.4.1 or above.",
          "title": "Insufficient Verification of Data Authenticity",
          "urls": [
            "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-36111",
            "https://github.com/codenotary/immudb/releases/tag/v1.4.1",
            "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
            "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
            "https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81",
            "https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6",
            "https://pkg.go.dev/vuln/GO-2022-1117",
            "https://github.com/advisories/GHSA-672p-m5jq-mrh8"
          ],
          "uuid": "aca85e0f-f3d2-4987-a560-ec28e5d35cc9",
          "versions": [
            {
              "commit": {
                "sha": "ad7623ce74bb3257d78af75941d494883591141a",
                "tags": [
                  "v1.4.1"
                ],
                "timestamp": "20221121134825"
              },
              "number": "v1.4.1"
            }
          ]
        },
        {
          "affected_range": "\u003cv1.4.1",
          "affected_versions": "All versions before 1.4.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-345",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
          "fixed_versions": [
            "v1.4.1"
          ],
          "identifier": "CVE-2022-36111",
          "identifiers": [
            "GHSA-672p-m5jq-mrh8",
            "CVE-2022-36111"
          ],
          "not_impacted": "All versions starting from 1.4.1",
          "package_slug": "go/github.com/codenotary/immudb/embedded/store",
          "pubdate": "2022-11-21",
          "solution": "Upgrade to version 1.4.1 or above.",
          "title": "Insufficient Verification of Data Authenticity",
          "urls": [
            "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-36111",
            "https://github.com/codenotary/immudb/releases/tag/v1.4.1",
            "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
            "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
            "https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81",
            "https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6",
            "https://pkg.go.dev/vuln/GO-2022-1117",
            "https://github.com/advisories/GHSA-672p-m5jq-mrh8"
          ],
          "uuid": "770f77b1-05fe-4c80-859f-808d5ba211b8",
          "versions": [
            {
              "commit": {
                "sha": "ad7623ce74bb3257d78af75941d494883591141a",
                "tags": [
                  "v1.4.1"
                ],
                "timestamp": "20221121134825"
              },
              "number": "v1.4.1"
            }
          ]
        },
        {
          "affected_range": "\u003cv1.4.1",
          "affected_versions": "All versions before 1.4.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-345",
            "CWE-937"
          ],
          "date": "2022-11-27",
          "description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
          "fixed_versions": [
            "v1.4.1"
          ],
          "identifier": "CVE-2022-36111",
          "identifiers": [
            "CVE-2022-36111",
            "GHSA-672p-m5jq-mrh8",
            "GMS-2022-6877"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/codenotary/immudb/pkg/client",
          "pubdate": "2022-11-23",
          "solution": "Upgrade to version 1.4.1 or above.",
          "title": "Insufficient Verification of Data Authenticity",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-36111",
            "https://github.com/codenotary/immudb/releases/tag/v1.4.1",
            "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
            "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
            "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
            "https://github.com/advisories/GHSA-672p-m5jq-mrh8"
          ],
          "uuid": "5873be0d-a156-4ea7-956d-2e5621d7e062",
          "versions": [
            {
              "commit": {
                "sha": "ad7623ce74bb3257d78af75941d494883591141a",
                "tags": [
                  "v1.4.1"
                ],
                "timestamp": "20221121134825"
              },
              "number": "v1.4.1"
            }
          ]
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions before 1.4.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-11-21",
          "description": "In certain scenario a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value.",
          "fixed_versions": [
            "v1.4.1"
          ],
          "identifier": "GMS-2022-6877",
          "identifiers": [
            "GHSA-672p-m5jq-mrh8",
            "GMS-2022-6877",
            "CVE-2022-36111"
          ],
          "not_impacted": "All versions starting from 1.4.1",
          "package_slug": "go/github.com/codenotary/immudb/pkg/client",
          "pubdate": "2022-11-21",
          "solution": "Upgrade to version 1.4.1 or above.",
          "title": "Duplicate of ./go/github.com/codenotary/immudb/pkg/client/CVE-2022-36111.yml",
          "urls": [
            "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
            "https://github.com/advisories/GHSA-672p-m5jq-mrh8"
          ],
          "uuid": "24fffad2-f7a9-4ac8-83c9-01b7488a5e15",
          "versions": [
            {
              "commit": {
                "sha": "ad7623ce74bb3257d78af75941d494883591141a",
                "tags": [
                  "v1.4.1"
                ],
                "timestamp": "20221121134825"
              },
              "number": "v1.4.1"
            }
          ]
        },
        {
          "affected_range": "\u003cv1.4.1",
          "affected_versions": "All versions before 1.4.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-345",
            "CWE-937"
          ],
          "date": "2023-02-09",
          "description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
          "fixed_versions": [
            "v1.4.1"
          ],
          "identifier": "CVE-2022-36111",
          "identifiers": [
            "GHSA-672p-m5jq-mrh8",
            "CVE-2022-36111"
          ],
          "not_impacted": "All versions starting from 1.4.1",
          "package_slug": "go/github.com/codenotary/immudb/pkg/client/auditor",
          "pubdate": "2022-11-21",
          "solution": "Upgrade to version 1.4.1 or above.",
          "title": "Insufficient Verification of Data Authenticity",
          "urls": [
            "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-36111",
            "https://github.com/codenotary/immudb/releases/tag/v1.4.1",
            "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
            "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
            "https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81",
            "https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6",
            "https://pkg.go.dev/vuln/GO-2022-1117",
            "https://github.com/advisories/GHSA-672p-m5jq-mrh8"
          ],
          "uuid": "0a4a963b-efbd-4317-9e02-dc68585d096f",
          "versions": [
            {
              "commit": {
                "sha": "ad7623ce74bb3257d78af75941d494883591141a",
                "tags": [
                  "v1.4.1"
                ],
                "timestamp": "20221121134825"
              },
              "number": "v1.4.1"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:codenotary:immudb:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.4.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-36111"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-345"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/codenotary/immudb/releases/tag/v1.4.1",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"
            },
            {
              "name": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
            },
            {
              "name": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
            },
            {
              "name": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-11-27T04:33Z",
      "publishedDate": "2022-11-23T18:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-36111 (GCVE-0-2022-36111)

GHSA-672P-M5JQ-MRH8

Impact

Detailed description

Patches

Workarounds

References

For more information

FKIE_CVE-2022-36111

GSD-2022-36111

Tags

Sightings

Nomenclature