Key Expiry Vulnerability in Conduit's Signature Validation
CVE-2024-6299

3.7LOW

Key Information:

Vendor: The Conduit Contributors
Status: Conduit
Vendor: CVE Published:; 25 June 2024

Summary

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date

Affected Version(s)

Conduit 0 < 0.8.0

References

https://gitlab.com/famedly/conduit/-/releases/v0.8.0

https://conduit.rs/changelog/#v0-8-0-2024-06-12

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 25, 2024
Vulnerability Reserved
Jun 25, 2024

Credit

Michael Maltsev for finding vulnerability, Matthias Ahouansou for fixing it