Remote code execution in Indy's NODE_UPGRADE transaction

Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

认证机制不恰当

Indy Node 输入验证错误漏洞

Indy Node是美国Hyperledger开源的一种分布式账本的服务器部分。专为去中心化身份构建。 Indy Node 1.12.4之前的版本存在输入验证错误漏洞，该漏洞源于Indy-Node中的“pool-upgrade”请求处理程序允许未经身份验证的攻击者远程在网络中的节点上执行代码。

N/A

N/A