Key Expiry Vulnerability in Conduit's Signature Validation

CVE-2024-6299

3.7LOW

Key Information

Vendor
The Conduit Contributors
Status
Conduit
Vendor
CVE Published:
25 June 2024

Summary

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date

Affected Version(s)

Conduit < 0.8.0

Refferences

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability Reserved

  • Vulnerability published

Collectors

NVD DatabaseMitre Database

Credit

Michael Maltsev for finding vulnerability, Matthias Ahouansou for fixing it
.