CVE-2020-11090 (GCVE-0-2020-11090)

Vulnerability from cvelistv5 – Published: 2020-06-11 00:05 – Updated: 2024-08-04 11:21

Summary

In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/hyperledger/indy-node/security…	x_refsource_CONFIRM
	https://pypi.org/project/indy-node/1.12.3/	x_refsource_MISC
	https://github.com/hyperledger/indy-node/blob/mas…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Hyperledger	Indy Node	Affected: = 1.12.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:21:14.678Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pypi.org/project/indy-node/1.12.3/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Indy Node",
          "vendor": "Hyperledger",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.12.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-11T00:05:14",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pypi.org/project/indy-node/1.12.3/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"
        }
      ],
      "source": {
        "advisory": "GHSA-3gw4-m5w7-v89c",
        "discovery": "UNKNOWN"
      },
      "title": "Uncontrolled Resource Consumption in Indy Node",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-11090",
          "STATE": "PUBLIC",
          "TITLE": "Uncontrolled Resource Consumption in Indy Node"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Indy Node",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "= 1.12.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Hyperledger"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400: Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c",
              "refsource": "CONFIRM",
              "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"
            },
            {
              "name": "https://pypi.org/project/indy-node/1.12.3/",
              "refsource": "MISC",
              "url": "https://pypi.org/project/indy-node/1.12.3/"
            },
            {
              "name": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123",
              "refsource": "MISC",
              "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-3gw4-m5w7-v89c",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-11090",
    "datePublished": "2020-06-11T00:05:14",
    "dateReserved": "2020-03-30T00:00:00",
    "dateUpdated": "2024-08-04T11:21:14.678Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:linuxfoundation:indy-node:1.12.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6DF979BB-4DCF-4234-89F1-ADAD619A80AC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3.\"}, {\"lang\": \"es\", \"value\": \"En Indy Node versi\\u00f3n 1.12.2, se presenta una vulnerabilidad de Consumo de Recursos No Controlados. Indy Node presenta un bug en el c\\u00f3digo de manejo de TAA. El primario actual puede bloquearse con una transacci\\u00f3n malformada de un cliente, lo que conlleva a un cambio de vista. Los cambios repetidos de vista r\\u00e1pida tienen el potencial de derribar la red. Esto es corregido en la versi\\u00f3n 1.12.3\"}]",
      "id": "CVE-2020-11090",
      "lastModified": "2024-11-21T04:56:46.020",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-06-11T00:15:22.443",
      "references": "[{\"url\": \"https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://pypi.org/project/indy-node/1.12.3/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://pypi.org/project/indy-node/1.12.3/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-11090\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-06-11T00:15:22.443\",\"lastModified\":\"2024-11-21T04:56:46.020\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3.\"},{\"lang\":\"es\",\"value\":\"En Indy Node versi\u00f3n 1.12.2, se presenta una vulnerabilidad de Consumo de Recursos No Controlados. Indy Node presenta un bug en el c\u00f3digo de manejo de TAA. El primario actual puede bloquearse con una transacci\u00f3n malformada de un cliente, lo que conlleva a un cambio de vista. Los cambios repetidos de vista r\u00e1pida tienen el potencial de derribar la red. Esto es corregido en la versi\u00f3n 1.12.3\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:indy-node:1.12.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DF979BB-4DCF-4234-89F1-ADAD619A80AC\"}]}]}],\"references\":[{\"url\":\"https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pypi.org/project/indy-node/1.12.3/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pypi.org/project/indy-node/1.12.3/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2020-11090

Vulnerability from fkie_nvd - Published: 2020-06-11 00:15 - Updated: 2024-11-21 04:56

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c	Third Party Advisory
security-advisories@github.com	https://pypi.org/project/indy-node/1.12.3/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://pypi.org/project/indy-node/1.12.3/	Third Party Advisory

Impacted products

	Vendor	Product	Version
	linuxfoundation	indy-node	1.12.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:linuxfoundation:indy-node:1.12.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6DF979BB-4DCF-4234-89F1-ADAD619A80AC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3."
    },
    {
      "lang": "es",
      "value": "En Indy Node versi\u00f3n 1.12.2, se presenta una vulnerabilidad de Consumo de Recursos No Controlados. Indy Node presenta un bug en el c\u00f3digo de manejo de TAA. El primario actual puede bloquearse con una transacci\u00f3n malformada de un cliente, lo que conlleva a un cambio de vista. Los cambios repetidos de vista r\u00e1pida tienen el potencial de derribar la red. Esto es corregido en la versi\u00f3n 1.12.3"
    }
  ],
  "id": "CVE-2020-11090",
  "lastModified": "2024-11-21T04:56:46.020",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-06-11T00:15:22.443",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://pypi.org/project/indy-node/1.12.3/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://pypi.org/project/indy-node/1.12.3/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-3GW4-M5W7-V89C

Vulnerability from github – Published: 2020-06-11 00:04 – Updated: 2024-11-18 16:26

Summary

Uncontrolled Resource Consumption in Indy Node

Details

Summary

Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network.

Discovery

On May 18, Evernym's monitoring of Sovrin StagingNet showed a report of StagingNet losing sufficient consensus to validate write transactions. The problem resolved itself within a few minutes. On May 20th we saw the alert multiple times, and we began analyzing the logs of our steward node. On May 21st we continued to see the alerts with increasing frequency.

It appears that someone is unknowingly sending a malformed transaction, and retrying when the transaction fails. The cause of the errors appear to be the TAA acceptance.

Proposed actions

Reproduce problem in integration tests and create a fix
Do a hotfix release branching from last stable (current master have some things merged that are too risky)
Upgrade BuilderNet, StagingNet and MainNet as soon as possible
Improve testing strategy on Indy Node to reduce probability of such bugs

Notes

The journalctl logs also show an out-of-memory problem on the Australia node. We need to evaluate if this should be raised as a separate issue.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indy-node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.2"
            },
            {
              "fixed": "1.12.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.12.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-11T00:02:06Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# Summary\nIndy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network.\n\n# Discovery\nOn May 18, Evernym\u0027s monitoring of Sovrin StagingNet showed a report of StagingNet losing sufficient consensus to validate write transactions. The problem resolved itself within a few minutes. On May 20th we saw the alert multiple times, and we began analyzing the logs of our steward node. On May 21st we continued to see the alerts with increasing frequency.\n\nIt appears that someone is unknowingly sending a malformed transaction, and retrying when the transaction fails. The cause of the errors appear to be the TAA acceptance.\n\n# Proposed actions\n* Reproduce problem in integration tests and create a fix\n* Do a hotfix release branching from last stable (current master have some things merged that are too risky)\n* Upgrade BuilderNet, StagingNet and MainNet as soon as possible\n* Improve testing strategy on Indy Node to reduce probability of such bugs\n\n# Notes\n* The journalctl logs also show an out-of-memory problem on the Australia node. We need to evaluate if this should be raised as a separate issue.",
  "id": "GHSA-3gw4-m5w7-v89c",
  "modified": "2024-11-18T16:26:06Z",
  "published": "2020-06-11T00:04:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11090"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hyperledger/indy-node"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/indy-node/PYSEC-2020-47.yaml"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/indy-node/1.12.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Uncontrolled Resource Consumption in Indy Node"
}

GSD-2020-11090

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-11090

Aliases

CVE-2020-11090

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-11090",
    "description": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3.",
    "id": "GSD-2020-11090"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-11090"
      ],
      "details": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3.",
      "id": "GSD-2020-11090",
      "modified": "2023-12-13T01:22:06.774772Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-11090",
        "STATE": "PUBLIC",
        "TITLE": "Uncontrolled Resource Consumption in Indy Node"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Indy Node",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "= 1.12.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Hyperledger"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c",
            "refsource": "CONFIRM",
            "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"
          },
          {
            "name": "https://pypi.org/project/indy-node/1.12.3/",
            "refsource": "MISC",
            "url": "https://pypi.org/project/indy-node/1.12.3/"
          },
          {
            "name": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123",
            "refsource": "MISC",
            "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-3gw4-m5w7-v89c",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "==1.12.2",
          "affected_versions": "Version 1.12.2",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2020-06-22",
          "description": "In Indy Node, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network.",
          "fixed_versions": [
            "1.12.3"
          ],
          "identifier": "CVE-2020-11090",
          "identifiers": [
            "CVE-2020-11090",
            "GHSA-3gw4-m5w7-v89c"
          ],
          "not_impacted": "All versions before 1.12.2, all versions after 1.12.2",
          "package_slug": "pypi/indy-node",
          "pubdate": "2020-06-11",
          "solution": "Upgrade to version 1.12.3 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-11090"
          ],
          "uuid": "0e771ad7-5f70-4d79-bddc-b1ab10e97f49"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:indy-node:1.12.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-11090"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pypi.org/project/indy-node/1.12.3/",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://pypi.org/project/indy-node/1.12.3/"
            },
            {
              "name": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"
            },
            {
              "name": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-06-22T16:36Z",
      "publishedDate": "2020-06-11T00:15Z"
    }
  }
}

PYSEC-2020-47

Vulnerability from pysec - Published: 2020-06-11 00:15 - Updated: 2020-06-22 16:36

Details

Impacted products

Name	purl
indy-node	pkg:pypi/indy-node

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indy-node",
        "purl": "pkg:pypi/indy-node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1.dev38",
        "0.0.1.dev40",
        "0.0.2",
        "0.0.3",
        "0.0.4",
        "0.0.12",
        "0.0.20",
        "0.0.21",
        "0.0.22",
        "0.0.23",
        "0.0.24",
        "0.0.25",
        "0.0.28",
        "0.0.30",
        "0.0.31",
        "0.0.32",
        "0.4.27",
        "1.0.28",
        "1.0.29",
        "1.1.1",
        "1.1.30",
        "1.1.31",
        "1.1.32",
        "1.1.33",
        "1.1.34",
        "1.1.35",
        "1.1.36",
        "1.1.37",
        "1.1.38",
        "1.1.39",
        "1.1.40",
        "1.1.41",
        "1.1.42",
        "1.1.43",
        "1.2.44",
        "1.2.45",
        "1.2.46",
        "1.2.47",
        "1.2.48",
        "1.2.49",
        "1.2.50",
        "1.3.51",
        "1.3.52",
        "1.3.53",
        "1.3.54",
        "1.3.55",
        "1.3.56",
        "1.3.57",
        "1.3.58",
        "1.3.59",
        "1.3.60",
        "1.3.61",
        "1.3.62",
        "1.4.63",
        "1.4.64",
        "1.4.65",
        "1.4.66",
        "1.5.67",
        "1.5.68",
        "1.6.69",
        "1.6.70",
        "1.6.71",
        "1.6.72",
        "1.6.73",
        "1.6.74",
        "1.6.75",
        "1.6.76",
        "1.6.77",
        "1.6.78",
        "1.6.79",
        "1.6.80",
        "1.6.81",
        "1.6.82",
        "1.6.83",
        "1.7.0.dev878",
        "1.7.0.dev879",
        "1.7.0.dev880",
        "1.7.0.dev881",
        "1.7.0.dev882",
        "1.7.0.dev883",
        "1.7.0.dev884",
        "1.7.0.dev885",
        "1.7.0.dev886",
        "1.7.0.dev887",
        "1.7.0.dev888",
        "1.7.0.dev889",
        "1.7.0.dev890",
        "1.7.0.dev891",
        "1.7.0.dev892",
        "1.7.0.dev893",
        "1.7.0.dev894",
        "1.7.0.dev895",
        "1.7.0.dev896",
        "1.7.0.dev897",
        "1.7.0.dev898",
        "1.7.0.dev899",
        "1.7.0.dev900",
        "1.7.0.dev901",
        "1.7.0.dev902",
        "1.7.0.dev903",
        "1.7.0.dev904",
        "1.7.0.dev905",
        "1.7.0.dev906",
        "1.7.0.dev907",
        "1.7.0.dev908",
        "1.7.0.dev909",
        "1.7.0.dev910",
        "1.7.0.dev911",
        "1.7.0.dev912",
        "1.7.0.dev913",
        "1.7.0.dev914",
        "1.7.0",
        "1.7.1",
        "1.8.0.dev915",
        "1.8.0.dev916",
        "1.8.0.dev917",
        "1.8.0.dev918",
        "1.8.0.dev919",
        "1.8.0.dev920",
        "1.8.0.dev921",
        "1.8.0.dev922",
        "1.8.0.dev923",
        "1.8.0.dev924",
        "1.8.0.dev925",
        "1.8.0.dev926",
        "1.8.0.dev927",
        "1.8.0.dev928",
        "1.8.0.dev929",
        "1.8.0.dev930",
        "1.8.0.dev931",
        "1.8.0.dev932",
        "1.8.0.dev933",
        "1.8.0.dev934",
        "1.8.0.dev935",
        "1.8.0.dev936",
        "1.8.0.dev937",
        "1.8.0.dev938",
        "1.8.0.dev939",
        "1.8.0.dev940",
        "1.8.0.dev941",
        "1.8.0.dev942",
        "1.8.0.dev943",
        "1.8.0.dev944",
        "1.8.0.dev945",
        "1.8.0.dev946",
        "1.8.0.dev947",
        "1.8.0.dev948",
        "1.8.0.dev951",
        "1.8.0.dev952",
        "1.8.0.dev953",
        "1.8.0.dev954",
        "1.8.0.dev955",
        "1.8.0.dev956",
        "1.8.0.dev957",
        "1.8.0.dev958",
        "1.8.0.dev959",
        "1.8.0.dev960",
        "1.8.0.dev961",
        "1.8.0.dev963",
        "1.8.0.dev964",
        "1.8.0.dev965",
        "1.8.0.dev966",
        "1.8.0.dev967",
        "1.8.0.dev968",
        "1.8.0.dev969",
        "1.8.0.dev970",
        "1.8.0.dev971",
        "1.8.0.dev972",
        "1.8.0.dev975",
        "1.8.0.dev977",
        "1.8.0.dev978",
        "1.8.0.dev979",
        "1.8.0.dev980",
        "1.8.0.dev981",
        "1.8.0.dev982",
        "1.8.0.dev983",
        "1.8.0.dev984",
        "1.8.0rc1",
        "1.8.0rc2",
        "1.8.0",
        "1.8.1rc1",
        "1.8.1",
        "1.9.0.dev985",
        "1.9.0.dev986",
        "1.9.0.dev987",
        "1.9.0.dev988",
        "1.9.0.dev989",
        "1.9.0.dev990",
        "1.9.0.dev991",
        "1.9.0.dev992",
        "1.9.0.dev993",
        "1.9.0.dev994",
        "1.9.0.dev995",
        "1.9.0.dev996",
        "1.9.0.dev997",
        "1.9.0.dev998",
        "1.9.0.dev999",
        "1.9.0.dev1000",
        "1.9.0.dev1001",
        "1.9.0.dev1002",
        "1.9.0.dev1003",
        "1.9.0.dev1004",
        "1.9.0.dev1005",
        "1.9.0.dev1006",
        "1.9.0.dev1007",
        "1.9.0.dev1008",
        "1.9.0.dev1009",
        "1.9.0.dev1010",
        "1.9.0.dev1011",
        "1.9.0.dev1012",
        "1.9.0.dev1013",
        "1.9.0.dev1014",
        "1.9.0.dev1016",
        "1.9.0.dev1017",
        "1.9.0.dev1018",
        "1.9.0.dev1019",
        "1.9.0.dev1020",
        "1.9.0.dev1021",
        "1.9.0.dev1022",
        "1.9.0.dev1023",
        "1.9.0.dev1024",
        "1.9.0.dev1025",
        "1.9.0.dev1026",
        "1.9.0.dev1027",
        "1.9.0.dev1028",
        "1.9.0.dev1029",
        "1.9.0.dev1030",
        "1.9.0.dev1031",
        "1.9.0.dev1032",
        "1.9.0.dev1033",
        "1.9.0.dev1034",
        "1.9.0.dev1035",
        "1.9.0.dev1036",
        "1.9.0.dev1037",
        "1.9.0.dev1038",
        "1.9.0.dev1039",
        "1.9.0rc1",
        "1.9.0rc2",
        "1.9.0rc3",
        "1.9.0rc4",
        "1.9.0",
        "1.9.1.dev1040",
        "1.9.1.dev1041",
        "1.9.1.dev1042",
        "1.9.1.dev1043",
        "1.9.1.dev1044",
        "1.9.1.dev1045",
        "1.9.1.dev1046",
        "1.9.1.dev1047",
        "1.9.1.dev1048",
        "1.9.1.dev1049",
        "1.9.1rc1",
        "1.9.1",
        "1.9.2.dev1050",
        "1.9.2.dev1051",
        "1.9.2.dev1052",
        "1.9.2.dev1053",
        "1.9.2.dev1054",
        "1.9.2.dev1055",
        "1.9.2.dev1056",
        "1.9.2.dev1057",
        "1.9.2.dev1058",
        "1.9.2.dev1059",
        "1.9.2.dev1060",
        "1.9.2.dev1061",
        "1.9.2.dev1062",
        "1.9.2.dev1063",
        "1.9.2.dev1064",
        "1.9.2.dev1065",
        "1.9.2.dev1066",
        "1.9.2.dev1067",
        "1.9.2.dev1068",
        "1.9.2.dev1069",
        "1.9.2rc1",
        "1.9.2",
        "1.10.0.dev1070",
        "1.10.0.dev1071",
        "1.10.0.dev1072",
        "1.10.0.dev1073",
        "1.10.0.dev1074",
        "1.10.0.dev1075",
        "1.10.0.dev1076",
        "1.10.0.dev1077",
        "1.10.0.dev1078",
        "1.10.0.dev1079",
        "1.10.0.dev1080",
        "1.10.0.dev1081",
        "1.10.0.dev1082",
        "1.10.0.dev1083",
        "1.10.0.dev1084",
        "1.10.0.dev1085",
        "1.10.0.dev1086",
        "1.10.0.dev1087",
        "1.10.0.dev1088",
        "1.10.0.dev1089",
        "1.10.0.dev1090",
        "1.10.0.dev1091",
        "1.10.0.dev1092",
        "1.10.0.dev1093",
        "1.10.0.dev1094",
        "1.10.0.dev1095",
        "1.10.0.dev1096",
        "1.10.0.dev1097",
        "1.10.0.dev1098",
        "1.10.0rc1",
        "1.10.0",
        "1.11.0.dev1099",
        "1.11.0.dev1100",
        "1.11.0.dev1101",
        "1.11.0.dev1102",
        "1.11.0.dev1103",
        "1.11.0.dev1104",
        "1.11.0.dev1105",
        "1.11.0.dev1106",
        "1.11.0.dev1107",
        "1.11.0.dev1108",
        "1.11.0.dev1109",
        "1.11.0.dev1110",
        "1.11.0.dev1111",
        "1.11.0.dev1112",
        "1.11.0.dev1113",
        "1.11.0.dev1114",
        "1.11.0.dev1115",
        "1.11.0.dev1116",
        "1.11.0.dev1117",
        "1.11.0.dev1118",
        "1.11.0.dev1119",
        "1.11.0.dev1120",
        "1.11.0.dev1121",
        "1.11.0.dev1122",
        "1.11.0.dev1123",
        "1.11.0rc1",
        "1.11.0",
        "1.12.0.dev1124",
        "1.12.0.dev1125",
        "1.12.0.dev1126",
        "1.12.0.dev1127",
        "1.12.0.dev1128",
        "1.12.0.dev1129",
        "1.12.0.dev1130",
        "1.12.0.dev1131",
        "1.12.0.dev1132",
        "1.12.0.dev1133",
        "1.12.0.dev1134",
        "1.12.0.dev1135",
        "1.12.0.dev1136",
        "1.12.0.dev1137",
        "1.12.0.dev1138",
        "1.12.0.dev1139",
        "1.12.0.dev1140",
        "1.12.0.dev1141",
        "1.12.0.dev1142",
        "1.12.0.dev1143",
        "1.12.0.dev1144",
        "1.12.0.dev1145",
        "1.12.0rc1",
        "1.12.0",
        "1.12.1.dev1146",
        "1.12.1.dev1147",
        "1.12.1.dev1148",
        "1.12.1.dev1149",
        "1.12.1.dev1150",
        "1.12.1.dev1151",
        "1.12.1.dev1152",
        "1.12.1.dev1153",
        "1.12.1.dev1154",
        "1.12.1.dev1155",
        "1.12.1.dev1156",
        "1.12.1.dev1157",
        "1.12.1.dev1158",
        "1.12.1.dev1159",
        "1.12.1.dev1160",
        "1.12.1.dev1161",
        "1.12.1.dev1162",
        "1.12.1.dev1163",
        "1.12.1.dev1164",
        "1.12.1.dev1165",
        "1.12.1.dev1166",
        "1.12.1.dev1167",
        "1.12.1.dev1168",
        "1.12.1.dev1169",
        "1.12.1.dev1170",
        "1.12.1.dev1171",
        "1.12.1.dev1172",
        "1.12.1.dev1173",
        "1.12.1.dev1174",
        "1.12.1.dev1175",
        "1.12.1.dev1176",
        "1.12.1.dev1177",
        "1.12.1.dev1178",
        "1.12.1.dev1179",
        "1.12.1rc1",
        "1.12.1",
        "1.12.2.dev1180",
        "1.12.2.dev1181",
        "1.12.2.dev1182",
        "1.12.2.dev1183",
        "1.12.2.dev1184",
        "1.12.2.dev1185",
        "1.12.2.dev1186",
        "1.12.2.dev1187",
        "1.12.2.dev1188",
        "1.12.2.dev1189",
        "1.12.2.dev1190",
        "1.12.2.dev1191",
        "1.12.2.dev1192",
        "1.12.2.dev1193",
        "1.12.2.dev1194",
        "1.12.2.dev1195",
        "1.12.2rc1",
        "1.12.2",
        "1.12.3rc1"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11090",
    "GHSA-3gw4-m5w7-v89c"
  ],
  "details": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3.",
  "id": "PYSEC-2020-47",
  "modified": "2020-06-22T16:36:00Z",
  "published": "2020-06-11T00:15:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/indy-node/1.12.3/"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-11090 (GCVE-0-2020-11090)

FKIE_CVE-2020-11090

GHSA-3GW4-M5W7-V89C

Summary

Discovery

Proposed actions

Notes

GSD-2020-11090

PYSEC-2020-47

Tags

Sightings

Nomenclature