Key Expiry Vulnerability in Conduit's Signature Validation
CVE-2024-6299
3.7LOW
Key Information
- Vendor
- The Conduit Contributors
- Status
- Conduit
- Vendor
- CVE Published:
- 25 June 2024
Summary
Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date
Affected Version(s)
Conduit < 0.8.0
Refferences
CVSS V3.1
Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability Reserved
Vulnerability published
Collectors
NVD DatabaseMitre Database
Credit
Michael Maltsev for finding vulnerability, Matthias Ahouansou for fixing it