Key Expiry Vulnerability in Conduit's Signature Validation

CVE-2024-6299

3.7LOW

Key Information

Vendor: The Conduit Contributors
Status: Conduit
Vendor: CVE Published:; 25 June 2024

Summary

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date

Affected Version(s)

Conduit < 0.8.0

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved.
Jun 25, 2024
Vulnerability published.
Jun 25, 2024

Collectors

NVD DatabaseMitre Database

Credit

Michael Maltsev for finding vulnerability, Matthias Ahouansou for fixing it