ghsa-ff5x-w9wg-h275
Vulnerability from github
Published
2020-03-06 01:15
Modified
2020-02-28 16:38
VLAI Severity ?
Summary
Holder can generate proof of ownership for credentials it does not control in vp-toolkit
Details
Impact
The verifyVerifiablePresentation() method check the cryptographic integrity of the Verifiable Presentation, but it does not check if the credentialSubject.id DID matches the signer of the VP proof.
The verifier is impacted by this vulnerability.
Patches
Patch will be available in version 0.2.2.
Workarounds
- Compute the address out of the
verifiablePresentation.proof.n.verificationMethodusinggetAddressFromPubKey()fromcrypt-util@0.1.5and match it with thecredentialSubject.idaddress from the credential.
References
For more information
If you have any questions or comments about this advisory: * Discuss in the existing issue * Contact me
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vp-toolkit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2020-02-28T16:38:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThe [`verifyVerifiablePresentation()`](https://github.com/rabobank-blockchain/vp-toolkit/blob/master/src/service/signers/verifiable-presentation-signer.ts#L97) method check the cryptographic integrity of the Verifiable Presentation, but it does not check if the [`credentialSubject.id`](https://github.com/rabobank-blockchain/vp-toolkit-models/blob/develop/src/model/verifiable-credential.ts#L150) DID matches the signer of the VP proof.\n\nThe **verifier** is impacted by this vulnerability.\n\n### Patches\nPatch will be available in version 0.2.2.\n\n### Workarounds\n- Compute the address out of the `verifiablePresentation.proof.n.verificationMethod` using `getAddressFromPubKey()` from `crypt-util@0.1.5` and match it with the `credentialSubject.id` address from the credential.\n\n### References\n[Github issue](https://github.com/rabobank-blockchain/vp-toolkit/issues/14)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Discuss in the existing [issue](https://github.com/rabobank-blockchain/vp-toolkit/issues/14)\n* [Contact me](https://github.com/rabomarnix)",
"id": "GHSA-ff5x-w9wg-h275",
"modified": "2020-02-28T16:38:18Z",
"published": "2020-03-06T01:15:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rabobank-blockchain/vp-toolkit/security/advisories/GHSA-ff5x-w9wg-h275"
},
{
"type": "WEB",
"url": "https://github.com/rabobank-blockchain/vp-toolkit/issues/14"
},
{
"type": "WEB",
"url": "https://github.com/rabobank-blockchain/vp-toolkit/commit/18a7db84d3265c6ffa10ef63eb37ae1bd4ba192b"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Holder can generate proof of ownership for credentials it does not control in vp-toolkit"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…