Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
CVE-2024-21669

9.9CRITICAL

Key Information:

Vendor

Hyperledger

Status
Aries-cloudagent-python
Vendor
CVE Published:
11 January 2024

What is CVE-2024-21669?

The vulnerability in Hyperledger Aries Cloud Agent Python occurs when verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs. The verification process fails to appropriately consider the document.proof when determining the validity of a presentation, allowing improperly constructed credentials to be falsely validated. This flaw can enable malicious users to utilize saved presentations from credential holders, compromising the integrity of identity verification processes. The issue affects versions from 0.7.0 to prior to 0.10.5, with a resolution implemented in version 0.10.5, addressing the improper handling of credential proofs.

Affected Version(s)

aries-cloudagent-python >= 0.7.0, < 0.10.5 < 0.7.0, 0.10.5

aries-cloudagent-python >= 0.11.0rc1, < 0.11.0 < 0.11.0rc1, 0.11.0

References

https://github.com/hyperledger/aries-cloudagent-python/se...
x_refsource_CONFIRM
https://github.com/hyperledger/aries-cloudagent-python/co...
x_refsource_MISC
https://github.com/hyperledger/aries-cloudagent-python/co...
x_refsource_MISC

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.