OpenCVE

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hyperledger	Aries Cloud Agent

Configuration 1 [-]

OR	cpe:2.3:a:hyperledger:aries_cloud_agent::::::python::*
	cpe:2.3:a:hyperledger:aries_cloud_agent:0.11.0:rc1::::python::*
	cpe:2.3:a:hyperledger:aries_cloud_agent:0.11.0:rc2::::python::*

No data.

References

Link	Providers
https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293
https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2
https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5
https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0
https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-11T05:40:30.458Z

Updated: 2024-08-01T22:27:36.172Z

Reserved: 2023-12-29T16:10:20.368Z

Link: CVE-2024-21669

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-11T06:15:44.067

Modified: 2024-01-20T18:45:17.257

Link: CVE-2024-21669

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21669", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T16:10:20.368Z", "datePublished": "2024-01-11T05:40:30.458Z", "dateUpdated": "2024-08-01T22:27:36.172Z"}, "containers": {"cna": {"title": "Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm"}, {"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293", "tags": ["x_refsource_MISC"], "url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293"}, {"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2", "tags": ["x_refsource_MISC"], "url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2"}, {"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5"}, {"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0"}], "affected": [{"vendor": "hyperledger", "product": "aries-cloudagent-python", "versions": [{"version": ">= 0.7.0, < 0.10.5", "status": "affected"}, {"version": ">= 0.11.0rc1, < 0.11.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-11T05:40:30.458Z"}, "descriptions": [{"lang": "en", "value": "Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5."}], "source": {"advisory": "GHSA-97x9-59rv-q5pm", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.172Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm"}, {"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293"}, {"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2"}, {"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5"}, {"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hyperledger:aries_cloud_agent:*:*:*:*:*:python:*:*", "matchCriteriaId": "8E7EDC2A-7233-4326-82B1-E896F8B52925", "versionEndExcluding": "0.10.5", "versionStartIncluding": "0.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hyperledger:aries_cloud_agent:0.11.0:rc1:*:*:*:python:*:*", "matchCriteriaId": "300CAB56-D1C2-4D96-BBBB-C429E9364E94", "vulnerable": true}, {"criteria": "cpe:2.3:a:hyperledger:aries_cloud_agent:0.11.0:rc2:*:*:*:python:*:*", "matchCriteriaId": "A99DFE1B-4372-43D1-A8FA-2C4F6B6FB951", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5."}, {"lang": "es", "value": "Hyperledger Aries Cloud Agent Python (ACA-Py) es una base para crear aplicaciones y servicios de identidad descentralizados que se ejecutan en entornos no m\u00f3viles. Al verificar las credenciales verificables en formato W3C usando JSON-LD con Linked Data Proofs (LDP-VC), el resultado de verificar la presentaci\u00f3n `document.proof` no se tuvo en cuenta en el valor final `verified` (`true`/`false`) en el acta de presentaci\u00f3n. La falla permite a los titulares de credenciales verificables en formato W3C que utilizan JSON-LD con pruebas de datos vinculados (LDP) presentar pruebas construidas incorrectamente y permite a verificadores maliciosos guardar y reproducir una presentaci\u00f3n de dichos titulares como propia. Esta vulnerabilidad ha estado presente desde la versi\u00f3n 0.7.0 y se corrigi\u00f3 en la versi\u00f3n 0.10.5."}], "id": "CVE-2024-21669", "lastModified": "2024-01-20T18:45:17.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-11T06:15:44.067", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Primary"}]}