Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote code execution in Indy's NODE_UPGRADE transaction
Vulnerability Description
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
认证机制不恰当
Vulnerability Title
Indy Node 输入验证错误漏洞
Vulnerability Description
Indy Node是美国Hyperledger开源的一种分布式账本的服务器部分。专为去中心化身份构建。 Indy Node 1.12.4之前的版本存在输入验证错误漏洞,该漏洞源于Indy-Node中的“pool-upgrade”请求处理程序允许未经身份验证的攻击者远程在网络中的节点上执行代码。
CVSS Information
N/A
Vulnerability Type
N/A