CVE-2020-11090 - OpenCVE

In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linuxfoundation	Indy-node

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:indy-node:1.12.2:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123
https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c
https://pypi.org/project/indy-node/1.12.3/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-06-11T00:05:14

Updated: 2024-08-04T11:21:14.678Z

Reserved: 2020-03-30T00:00:00

Link: CVE-2020-11090

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-06-11T00:15:22.443

Modified: 2020-06-22T16:36:33.427

Link: CVE-2020-11090

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Indy Node", "vendor": "Hyperledger", "versions": [{"status": "affected", "version": "= 1.12.2"}]}], "descriptions": [{"lang": "en", "value": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-11T00:05:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/indy-node/1.12.3/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"}], "source": {"advisory": "GHSA-3gw4-m5w7-v89c", "discovery": "UNKNOWN"}, "title": "Uncontrolled Resource Consumption in Indy Node", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11090", "STATE": "PUBLIC", "TITLE": "Uncontrolled Resource Consumption in Indy Node"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Indy Node", "version": {"version_data": [{"version_value": "= 1.12.2"}]}}]}, "vendor_name": "Hyperledger"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c", "refsource": "CONFIRM", "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"}, {"name": "https://pypi.org/project/indy-node/1.12.3/", "refsource": "MISC", "url": "https://pypi.org/project/indy-node/1.12.3/"}, {"name": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123", "refsource": "MISC", "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"}]}, "source": {"advisory": "GHSA-3gw4-m5w7-v89c", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:21:14.678Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pypi.org/project/indy-node/1.12.3/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-11090", "datePublished": "2020-06-11T00:05:14", "dateReserved": "2020-03-30T00:00:00", "dateUpdated": "2024-08-04T11:21:14.678Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:indy-node:1.12.2:*:*:*:*:*:*:*", "matchCriteriaId": "6DF979BB-4DCF-4234-89F1-ADAD619A80AC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Indy Node 1.12.2, there is an Uncontrolled Resource Consumption vulnerability. Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. This is fixed in version 1.12.3."}, {"lang": "es", "value": "En Indy Node versi\u00f3n 1.12.2, se presenta una vulnerabilidad de Consumo de Recursos No Controlados. Indy Node presenta un bug en el c\u00f3digo de manejo de TAA. El primario actual puede bloquearse con una transacci\u00f3n malformada de un cliente, lo que conlleva a un cambio de vista. Los cambios repetidos de vista r\u00e1pida tienen el potencial de derribar la red. Esto es corregido en la versi\u00f3n 1.12.3"}], "id": "CVE-2020-11090", "lastModified": "2020-06-22T16:36:33.427", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-06-11T00:15:22.443", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://pypi.org/project/indy-node/1.12.3/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}