GSD-2022-36111
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-36111",
"description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
"id": "GSD-2022-36111"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-36111"
],
"details": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
"id": "GSD-2022-36111",
"modified": "2023-12-13T01:19:21.870250Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36111",
"STATE": "PUBLIC",
"TITLE": "immundb has insufficient verification of data authenticity"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "immudb",
"version": {
"version_data": [
{
"version_value": "\u003c 1.4.1"
}
]
}
}
]
},
"vendor_name": "codenotary"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-345: Insufficient Verification of Data Authenticity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/codenotary/immudb/releases/tag/v1.4.1",
"refsource": "MISC",
"url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"
},
{
"name": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
"refsource": "CONFIRM",
"url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
},
{
"name": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
"refsource": "MISC",
"url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
},
{
"name": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
"refsource": "MISC",
"url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"
}
]
},
"source": {
"advisory": "GHSA-672p-m5jq-mrh8",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003cv1.4.1",
"affected_versions": "All versions before 1.4.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-345",
"CWE-937"
],
"date": "2023-02-14",
"description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
"fixed_versions": [
"v1.4.1"
],
"identifier": "CVE-2022-36111",
"identifiers": [
"GHSA-672p-m5jq-mrh8",
"CVE-2022-36111"
],
"not_impacted": "All versions starting from 1.4.1",
"package_slug": "go/github.com/codenotary/immudb",
"pubdate": "2022-11-21",
"solution": "Upgrade to version 1.4.1 or above.",
"title": "Insufficient Verification of Data Authenticity",
"urls": [
"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
"https://nvd.nist.gov/vuln/detail/CVE-2022-36111",
"https://github.com/codenotary/immudb/releases/tag/v1.4.1",
"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
"https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81",
"https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6",
"https://pkg.go.dev/vuln/GO-2022-1117",
"https://github.com/advisories/GHSA-672p-m5jq-mrh8"
],
"uuid": "aca85e0f-f3d2-4987-a560-ec28e5d35cc9",
"versions": [
{
"commit": {
"sha": "ad7623ce74bb3257d78af75941d494883591141a",
"tags": [
"v1.4.1"
],
"timestamp": "20221121134825"
},
"number": "v1.4.1"
}
]
},
{
"affected_range": "\u003cv1.4.1",
"affected_versions": "All versions before 1.4.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-345",
"CWE-937"
],
"date": "2023-02-09",
"description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
"fixed_versions": [
"v1.4.1"
],
"identifier": "CVE-2022-36111",
"identifiers": [
"GHSA-672p-m5jq-mrh8",
"CVE-2022-36111"
],
"not_impacted": "All versions starting from 1.4.1",
"package_slug": "go/github.com/codenotary/immudb/embedded/store",
"pubdate": "2022-11-21",
"solution": "Upgrade to version 1.4.1 or above.",
"title": "Insufficient Verification of Data Authenticity",
"urls": [
"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
"https://nvd.nist.gov/vuln/detail/CVE-2022-36111",
"https://github.com/codenotary/immudb/releases/tag/v1.4.1",
"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
"https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81",
"https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6",
"https://pkg.go.dev/vuln/GO-2022-1117",
"https://github.com/advisories/GHSA-672p-m5jq-mrh8"
],
"uuid": "770f77b1-05fe-4c80-859f-808d5ba211b8",
"versions": [
{
"commit": {
"sha": "ad7623ce74bb3257d78af75941d494883591141a",
"tags": [
"v1.4.1"
],
"timestamp": "20221121134825"
},
"number": "v1.4.1"
}
]
},
{
"affected_range": "\u003cv1.4.1",
"affected_versions": "All versions before 1.4.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-345",
"CWE-937"
],
"date": "2022-11-27",
"description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
"fixed_versions": [
"v1.4.1"
],
"identifier": "CVE-2022-36111",
"identifiers": [
"CVE-2022-36111",
"GHSA-672p-m5jq-mrh8",
"GMS-2022-6877"
],
"not_impacted": "",
"package_slug": "go/github.com/codenotary/immudb/pkg/client",
"pubdate": "2022-11-23",
"solution": "Upgrade to version 1.4.1 or above.",
"title": "Insufficient Verification of Data Authenticity",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-36111",
"https://github.com/codenotary/immudb/releases/tag/v1.4.1",
"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
"https://github.com/advisories/GHSA-672p-m5jq-mrh8"
],
"uuid": "5873be0d-a156-4ea7-956d-2e5621d7e062",
"versions": [
{
"commit": {
"sha": "ad7623ce74bb3257d78af75941d494883591141a",
"tags": [
"v1.4.1"
],
"timestamp": "20221121134825"
},
"number": "v1.4.1"
}
]
},
{
"affected_range": "\u003c0",
"affected_versions": "All versions before 1.4.1",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-11-21",
"description": "In certain scenario a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value.",
"fixed_versions": [
"v1.4.1"
],
"identifier": "GMS-2022-6877",
"identifiers": [
"GHSA-672p-m5jq-mrh8",
"GMS-2022-6877",
"CVE-2022-36111"
],
"not_impacted": "All versions starting from 1.4.1",
"package_slug": "go/github.com/codenotary/immudb/pkg/client",
"pubdate": "2022-11-21",
"solution": "Upgrade to version 1.4.1 or above.",
"title": "Duplicate of ./go/github.com/codenotary/immudb/pkg/client/CVE-2022-36111.yml",
"urls": [
"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
"https://github.com/advisories/GHSA-672p-m5jq-mrh8"
],
"uuid": "24fffad2-f7a9-4ac8-83c9-01b7488a5e15",
"versions": [
{
"commit": {
"sha": "ad7623ce74bb3257d78af75941d494883591141a",
"tags": [
"v1.4.1"
],
"timestamp": "20221121134825"
},
"number": "v1.4.1"
}
]
},
{
"affected_range": "\u003cv1.4.1",
"affected_versions": "All versions before 1.4.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-345",
"CWE-937"
],
"date": "2023-02-09",
"description": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.",
"fixed_versions": [
"v1.4.1"
],
"identifier": "CVE-2022-36111",
"identifiers": [
"GHSA-672p-m5jq-mrh8",
"CVE-2022-36111"
],
"not_impacted": "All versions starting from 1.4.1",
"package_slug": "go/github.com/codenotary/immudb/pkg/client/auditor",
"pubdate": "2022-11-21",
"solution": "Upgrade to version 1.4.1 or above.",
"title": "Insufficient Verification of Data Authenticity",
"urls": [
"https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
"https://nvd.nist.gov/vuln/detail/CVE-2022-36111",
"https://github.com/codenotary/immudb/releases/tag/v1.4.1",
"https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
"https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
"https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81",
"https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6",
"https://pkg.go.dev/vuln/GO-2022-1117",
"https://github.com/advisories/GHSA-672p-m5jq-mrh8"
],
"uuid": "0a4a963b-efbd-4317-9e02-dc68585d096f",
"versions": [
{
"commit": {
"sha": "ad7623ce74bb3257d78af75941d494883591141a",
"tags": [
"v1.4.1"
],
"timestamp": "20221121134825"
},
"number": "v1.4.1"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:codenotary:immudb:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.4.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36111"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/codenotary/immudb/releases/tag/v1.4.1",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"
},
{
"name": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
},
{
"name": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
},
{
"name": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-11-27T04:33Z",
"publishedDate": "2022-11-23T18:15Z"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…