GHSA-FF5X-W9WG-H275
Vulnerability from github – Published: 2020-03-06 01:15 – Updated: 2020-02-28 16:38
VLAI?
Summary
Holder can generate proof of ownership for credentials it does not control in vp-toolkit
Details
Impact
The verifyVerifiablePresentation() method check the cryptographic integrity of the Verifiable Presentation, but it does not check if the credentialSubject.id DID matches the signer of the VP proof.
The verifier is impacted by this vulnerability.
Patches
Patch will be available in version 0.2.2.
Workarounds
- Compute the address out of the
verifiablePresentation.proof.n.verificationMethodusinggetAddressFromPubKey()fromcrypt-util@0.1.5and match it with thecredentialSubject.idaddress from the credential.
References
For more information
If you have any questions or comments about this advisory: * Discuss in the existing issue * Contact me
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vp-toolkit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2020-02-28T16:38:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThe [`verifyVerifiablePresentation()`](https://github.com/rabobank-blockchain/vp-toolkit/blob/master/src/service/signers/verifiable-presentation-signer.ts#L97) method check the cryptographic integrity of the Verifiable Presentation, but it does not check if the [`credentialSubject.id`](https://github.com/rabobank-blockchain/vp-toolkit-models/blob/develop/src/model/verifiable-credential.ts#L150) DID matches the signer of the VP proof.\n\nThe **verifier** is impacted by this vulnerability.\n\n### Patches\nPatch will be available in version 0.2.2.\n\n### Workarounds\n- Compute the address out of the `verifiablePresentation.proof.n.verificationMethod` using `getAddressFromPubKey()` from `crypt-util@0.1.5` and match it with the `credentialSubject.id` address from the credential.\n\n### References\n[Github issue](https://github.com/rabobank-blockchain/vp-toolkit/issues/14)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Discuss in the existing [issue](https://github.com/rabobank-blockchain/vp-toolkit/issues/14)\n* [Contact me](https://github.com/rabomarnix)",
"id": "GHSA-ff5x-w9wg-h275",
"modified": "2020-02-28T16:38:18Z",
"published": "2020-03-06T01:15:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rabobank-blockchain/vp-toolkit/security/advisories/GHSA-ff5x-w9wg-h275"
},
{
"type": "WEB",
"url": "https://github.com/rabobank-blockchain/vp-toolkit/issues/14"
},
{
"type": "WEB",
"url": "https://github.com/rabobank-blockchain/vp-toolkit/commit/18a7db84d3265c6ffa10ef63eb37ae1bd4ba192b"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Holder can generate proof of ownership for credentials it does not control in vp-toolkit"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…