GHSA-P94W-42G3-F7H4
Vulnerability from github – Published: 2020-03-06 01:16 – Updated: 2020-02-28 16:38
VLAI?
Summary
Holder can (re)create authentic credentials after receiving a credential in vp-toolkit
Details
Impact
The verifyVerifiableCredential() method check the cryptographic integrity of the Verifiable Credential, but it does not check if the credential.issuer DID matches the signer of the credential.
The verifier is impacted by this vulnerability.
Patches
Patch will be available in version 0.2.2.
Workarounds
In case you trust certain issuers for certain credentials as a verifier, trust the issuer's public key from the credential.proof.verificationMethod field.
References
For more information
If you have any questions or comments about this advisory: * Discuss in the existing issue * Contact me
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vp-toolkit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2020-02-28T16:38:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThe [`verifyVerifiableCredential()`](https://github.com/rabobank-blockchain/vp-toolkit/blob/master/src/service/signers/verifiable-credential-signer.ts#L57) method check the cryptographic integrity of the Verifiable Credential, but it does not check if the [`credential.issuer`](https://github.com/rabobank-blockchain/vp-toolkit-models/blob/develop/src/model/verifiable-credential.ts#L129) DID matches the signer of the credential.\n\nThe **verifier** is impacted by this vulnerability.\n\n### Patches\nPatch will be available in version 0.2.2.\n\n### Workarounds\nIn case you trust certain issuers for certain credentials as a verifier, trust the issuer\u0026#39;s public key from the `credential.proof.verificationMethod` field.\n\n### References\n[Github issue](https://github.com/rabobank-blockchain/vp-toolkit/issues/13)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Discuss in the existing [issue](https://github.com/rabobank-blockchain/vp-toolkit/issues/13)\n* [Contact me](https://github.com/rabomarnix)",
"id": "GHSA-p94w-42g3-f7h4",
"modified": "2020-02-28T16:38:09Z",
"published": "2020-03-06T01:16:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rabobank-blockchain/vp-toolkit/security/advisories/GHSA-p94w-42g3-f7h4"
},
{
"type": "WEB",
"url": "https://github.com/rabobank-blockchain/vp-toolkit/issues/13"
},
{
"type": "WEB",
"url": "https://github.com/rabobank-blockchain/vp-toolkit/commit/6315936d1d7913fd116fa51a0dbbd29d82c0ce17"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Holder can (re)create authentic credentials after receiving a credential in vp-toolkit"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…