CRITICAL🇵🇱 Wersja polska

CVE-2024-21669

CVSS 9.9v3.1pub. 2024-01-11upd. 2024-11-21

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.

🤖 AI Analysis
How it works

During the verification of Verifiable Presentations in W3C format using JSON-LD and Linked Data Proofs, the system was omitting the verification result of the `document.proof` field when determining the final `verified` status. As a result, a presentation with improperly constructed or forged proof could be marked as valid (true). Additionally, a malicious verifier who received such a presentation could save it and then replay it as their own to other parties (replay attack). The vulnerability is classified as CWE-347 — improper verification of cryptographic signature.

Impact

An attacker (credential holder or malicious verifier) can bypass the identity verification mechanism by submitting false or improperly signed proofs, and can impersonate other users by replaying intercepted presentations.

Mitigation & patch

ACA-Py should be updated to version 0.10.5 or later (including 0.11.0), in which the issue has been fixed. Patches are available in the GitHub repository of the Hyperledger Aries Cloud Agent Python project.

Who is affected

Hyperledger Aries Cloud Agent Python (ACA-Py) versions 0.7.0 to 0.10.4 inclusive, using W3C credential verification in JSON-LD format with Linked Data Proofs (LDP-VC).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
  • Hyperledger Aries Cloud Agent

    APP
    Hyperledger
    0.11.00.7.0 – 0.10.5 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-46132HIGH7.1ten sam vendor

Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one...

CVE-2022-45196HIGH7.5ten sam vendor

Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a c...

CVE-2022-36023HIGH7.0ten sam vendor

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions a...

CVE-2022-31121HIGH7.5ten sam vendor

Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client ...

CVE-2018-3756HIGH7.5ten sam vendor

Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verif...