GHSA-97X9-59RV-Q5PM
Vulnerability from github – Published: 2024-01-09 20:31 – Updated: 2024-01-11 15:42
VLAI?
Summary
Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
Details
Impact
When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation document.proof was not factored into the final verified value (true/false) on the presentation record. Below is an example result from verifying a JSON-LD Presentation where there is an error noted in the processing (mismatched challenge), but the overall result is incorrectly "verified": true:
{
"verified": true,
"presentation_result": {
"verified": false,
"document": {
"@context": [
"https://www.w3.org/2018/credentials/v1"
],
"type": [
"VerifiablePresentation"
],
"verifiableCredential": [
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/citizenship/v1"
],
"type": [
"VerifiableCredential",
"PermanentResident"
],
"issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
"issuanceDate": "2023-11-18",
"credentialSubject": {
"type": [
"PermanentResident"
],
"id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
"givenName": "Bob",
"familyName": "Builder",
"gender": "Male",
"birthCountry": "Bahamas",
"birthDate": "1958-07-17"
},
"proof": {
"type": "Ed25519Signature2018",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"created": "2023-11-18T21:39:56.988853+00:00",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA"
}
}
],
"proof": {
"type": "Ed25519Signature2018",
"proofPurpose": "authentication",
"verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
"created": "2023-11-18T21:39:59.188276+00:00",
"challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw"
}
},
"results": [
{
"verified": false,
"proof": {
"@context": [
"https://www.w3.org/2018/credentials/v1"
],
"type": "Ed25519Signature2018",
"proofPurpose": "authentication",
"verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
"created": "2023-11-18T21:39:59.188276+00:00",
"challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw"
},
"error": "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969",
"purpose_result": {
"valid": false,
"error": "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969"
}
}
],
"errors": [
"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969"
]
},
"credential_results": [
{
"verified": true,
"document": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/citizenship/v1"
],
"type": [
"VerifiableCredential",
"PermanentResident"
],
"issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
"issuanceDate": "2023-11-18",
"credentialSubject": {
"type": [
"PermanentResident"
],
"id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C",
"givenName": "Bob",
"familyName": "Builder",
"gender": "Male",
"birthCountry": "Bahamas",
"birthDate": "1958-07-17"
},
"proof": {
"type": "Ed25519Signature2018",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"created": "2023-11-18T21:39:56.988853+00:00",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA"
}
},
"results": [
{
"verified": true,
"proof": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/citizenship/v1"
],
"type": "Ed25519Signature2018",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"created": "2023-11-18T21:39:56.988853+00:00",
"jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA"
},
"purpose_result": {
"valid": true,
"controller": {
"@context": "https://w3id.org/security/v2",
"id": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
"assertionMethod": [
"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1"
],
"authentication": [
{
"id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"type": "Ed25519VerificationKey2018",
"controller": "did:sov:EzcfrVw7Tveho5NjrmDWnd",
"publicKeyBase58": "8dMkWKZxsK7vS8sR4XgS7gWvRawPp5TMYVFvnU2RyXqo"
}
],
"verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1",
"https://www.w3.org/ns/did#service": {
"id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#did-communication",
"type": "did-communication",
"https://www.w3.org/ns/did#serviceEndpoint": {
"id": "http://alice:3000"
}
}
}
}
}
]
}
],
"errors": [
"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969"
]
}
The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.
This vulnerability has been present since the first implementation of support for JSON-LD W3C Verifiable Credential Data Model presentations, in Aries Cloud Agent Python release in 0.7.0.
All ACA-Py Users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability.
Patches
This issue has been patched in version 0.10.5 and fixed in 0.11.0.
Workarounds
There is no workaround other upgrading to a patched/fixed version of ACA-Py.
Severity ?
9.9 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aries-cloudagent"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "0.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "aries-cloudagent"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.0rc1"
},
{
"fixed": "0.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21669"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-09T20:31:55Z",
"nvd_published_at": "2024-01-11T06:15:44Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nWhen verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. Below is an example result from verifying a JSON-LD Presentation where there is an error noted in the processing (mismatched challenge), but the overall result is incorrectly `\"verified\": true`:\n\n```json\n{\n \"verified\": true,\n \"presentation_result\": {\n \"verified\": false,\n \"document\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\"\n ],\n \"type\": [\n \"VerifiablePresentation\"\n ],\n \"verifiableCredential\": [\n {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\",\n \"https://w3id.org/citizenship/v1\"\n ],\n \"type\": [\n \"VerifiableCredential\",\n \"PermanentResident\"\n ],\n \"issuer\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"issuanceDate\": \"2023-11-18\",\n \"credentialSubject\": {\n \"type\": [\n \"PermanentResident\"\n ],\n \"id\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"givenName\": \"Bob\",\n \"familyName\": \"Builder\",\n \"gender\": \"Male\",\n \"birthCountry\": \"Bahamas\",\n \"birthDate\": \"1958-07-17\"\n },\n \"proof\": {\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"assertionMethod\",\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"created\": \"2023-11-18T21:39:56.988853+00:00\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA\"\n }\n }\n ],\n \"proof\": {\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"authentication\",\n \"verificationMethod\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"created\": \"2023-11-18T21:39:59.188276+00:00\",\n \"challenge\": \"ce0956d4-206d-4b69-a087-52bbb9ddaf1d\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw\"\n }\n },\n \"results\": [\n {\n \"verified\": false,\n \"proof\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\"\n ],\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"authentication\",\n \"verificationMethod\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"created\": \"2023-11-18T21:39:59.188276+00:00\",\n \"challenge\": \"ce0956d4-206d-4b69-a087-52bbb9ddaf1d\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw\"\n },\n \"error\": \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\",\n \"purpose_result\": {\n \"valid\": false,\n \"error\": \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\"\n }\n }\n ],\n \"errors\": [\n \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\"\n ]\n },\n \"credential_results\": [\n {\n \"verified\": true,\n \"document\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\",\n \"https://w3id.org/citizenship/v1\"\n ],\n \"type\": [\n \"VerifiableCredential\",\n \"PermanentResident\"\n ],\n \"issuer\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"issuanceDate\": \"2023-11-18\",\n \"credentialSubject\": {\n \"type\": [\n \"PermanentResident\"\n ],\n \"id\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"givenName\": \"Bob\",\n \"familyName\": \"Builder\",\n \"gender\": \"Male\",\n \"birthCountry\": \"Bahamas\",\n \"birthDate\": \"1958-07-17\"\n },\n \"proof\": {\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"assertionMethod\",\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"created\": \"2023-11-18T21:39:56.988853+00:00\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA\"\n }\n },\n \"results\": [\n {\n \"verified\": true,\n \"proof\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\",\n \"https://w3id.org/citizenship/v1\"\n ],\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"assertionMethod\",\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"created\": \"2023-11-18T21:39:56.988853+00:00\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA\"\n },\n \"purpose_result\": {\n \"valid\": true,\n \"controller\": {\n \"@context\": \"https://w3id.org/security/v2\",\n \"id\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"assertionMethod\": [\n \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\"\n ],\n \"authentication\": [\n {\n \"id\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"type\": \"Ed25519VerificationKey2018\",\n \"controller\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"publicKeyBase58\": \"8dMkWKZxsK7vS8sR4XgS7gWvRawPp5TMYVFvnU2RyXqo\"\n }\n ],\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"https://www.w3.org/ns/did#service\": {\n \"id\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#did-communication\",\n \"type\": \"did-communication\",\n \"https://www.w3.org/ns/did#serviceEndpoint\": {\n \"id\": \"http://alice:3000\"\n }\n }\n }\n }\n }\n ]\n }\n ],\n \"errors\": [\n \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\"\n ]\n}\n```\n\nThe flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.\n\nThis vulnerability has been present since the first implementation of support for JSON-LD W3C Verifiable Credential Data Model presentations, in Aries Cloud Agent Python release in 0.7.0.\n\nAll ACA-Py Users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability.\n\n### Patches\n\nThis issue has been patched in version [0.10.5](https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5) and fixed in [0.11.0](https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0).\n\n### Workarounds\n\nThere is no workaround other upgrading to a patched/fixed version of ACA-Py.",
"id": "GHSA-97x9-59rv-q5pm",
"modified": "2024-01-11T15:42:21Z",
"published": "2024-01-09T20:31:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21669"
},
{
"type": "WEB",
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293"
},
{
"type": "WEB",
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2"
},
{
"type": "PACKAGE",
"url": "https://github.com/hyperledger/aries-cloudagent-python"
},
{
"type": "WEB",
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5"
},
{
"type": "WEB",
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…