CVE-2022-36111 - OpenCVE

immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Codenotary	Immudb

Configuration 1 [-]

cpe:2.3:a:codenotary:immudb:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/codenotary/immudb/releases/tag/v1.4.1
https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8
https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake
https://pkg.go.dev/github.com/codenotary/immudb/pkg/client

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-11-23T00:00:00

Updated: 2024-08-03T09:52:00.524Z

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-36111

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-11-23T18:15:11.787

Modified: 2022-11-27T04:33:34.200

Link: CVE-2022-36111

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-36111", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T09:52:00.524Z", "dateReserved": "2022-07-15T00:00:00", "datePublished": "2022-11-23T00:00:00"}, "containers": {"cna": {"title": "immundb has insufficient verification of data authenticity", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-23T00:00:00"}, "descriptions": [{"lang": "en", "value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."}], "affected": [{"vendor": "codenotary", "product": "immudb", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "references": [{"url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"}, {"url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"}, {"url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"}, {"url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "cweId": "CWE-345"}]}], "source": {"advisory": "GHSA-672p-m5jq-mrh8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.524Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1", "tags": ["x_transferred"]}, {"url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8", "tags": ["x_transferred"]}, {"url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codenotary:immudb:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EA9B368-DD84-4E51-ABFB-7FDEF2E9807E", "versionEndExcluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."}, {"lang": "es", "value": "immudb es una base de datos con prueba y verificaci\u00f3n criptogr\u00e1fica incorporada. En versiones anteriores a la 1.4.1, un servidor immudb malicioso puede proporcionar una prueba falsificada que ser\u00e1 aceptada por el SDK del cliente al firmar una transacci\u00f3n falsificada que reemplaza la genuina. Esta situaci\u00f3n no puede ser provocada por un servidor immudb genuino y requiere que el cliente realice una lista espec\u00edfica de operaciones verificadas que resultan en la aceptaci\u00f3n de un valor de estado no v\u00e1lido. Esta vulnerabilidad solo afecta a los SDK del cliente immudb; el servidor immudb en s\u00ed no se ve afectado por esta vulnerabilidad. Este problema se solucion\u00f3 en la versi\u00f3n 1.4.1."}], "id": "CVE-2022-36111", "lastModified": "2022-11-27T04:33:34.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-11-23T18:15:11.787", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}