Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
40 vulnerabilities by Hyperledger
CVE-2026-45581 (GCVE-0-2026-45581)
Vulnerability from nvd – Published: 2026-06-08 16:53 – Updated: 2026-06-09 15:51
VLAI
Title
fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode
Summary
fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger/fabric-chaincode-j… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric-chaincode-java |
Affected:
>= 2.3.1, < 2.5.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T15:50:52.027913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:51:04.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric-chaincode-java",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3.1, \u003c 2.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:53:45.829Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r"
}
],
"source": {
"advisory": "GHSA-wg5x-3g47-v38r",
"discovery": "UNKNOWN"
},
"title": "fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45581",
"datePublished": "2026-06-08T16:53:45.829Z",
"dateReserved": "2026-05-12T19:00:14.601Z",
"dateUpdated": "2026-06-09T15:51:04.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41586 (GCVE-0-2026-41586)
Vulnerability from nvd – Published: 2026-05-07 05:12 – Updated: 2026-05-07 14:57
VLAI
Title
ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE
Summary
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/fabric/security/ad… | x_refsource_CONFIRM |
| https://hyperledger.github.io/fabric-gateway | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
>= 1.0.0, <= 2.2.26
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41586",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:13:37.345609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:57:52.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 2.2.26"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T05:12:35.666Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7"
},
{
"name": "https://hyperledger.github.io/fabric-gateway",
"tags": [
"x_refsource_MISC"
],
"url": "https://hyperledger.github.io/fabric-gateway"
}
],
"source": {
"advisory": "GHSA-prf8-cf2x-rhx7",
"discovery": "UNKNOWN"
},
"title": "ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41586",
"datePublished": "2026-05-07T05:12:35.666Z",
"dateReserved": "2026-04-21T14:15:21.959Z",
"dateUpdated": "2026-05-07T14:57:52.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30147 (GCVE-0-2025-30147)
Vulnerability from nvd – Published: 2025-05-07 18:27 – Updated: 2025-05-07 20:04
VLAI
Title
ALTBN128_ADD, ALTBN128_MUL, ALTBN128_PAIRING precompile functions do not check if points are on curve
Summary
Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles ALTBN128_ADD (0x06), ALTBN128_MUL (0x07), and ALTBN128_PAIRING (0x08). These precompiles were reimplemented in besu-native using gnark-crypto's bn254 implementation, as the former implementation used a library which was no longer maintained and not sufficiently performant. The new gnark implementation was initially added in version 0.9.0 of besu-native but was not utilized by Besu until version 0.9.2 in Besu 24.7.1. The issue is that there are EC points which may be crafted which are in the correct subgroup but are not on the curve and the besu-native gnark implementation was relying on subgroup checks to perform point-on-curve checks as well. The version of gnark-crypto used at the time did not do this check when performing subgroup checks. The result is that it was possible for Besu to give an incorrect result and fall out of consensus when executing one of these precompiles against a specially crafted input point. Additionally, homogenous Besu-only networks can potentially enshrine invalid state which would be incorrect and difficult to process with patched versions of besu which handle these calls correctly. The underlying defect has been patched in besu-native release 1.3.0. The fixed version of Besu is version 25.3.0. As a workaround for versions of Besu with the problem, the native precompile for altbn128 may be disabled in favor of the pure-java implementation. The pure java implementation is significantly slower, but does not have this consensus issue.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-325 - Missing Cryptographic Step
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/besu-native/securi… | x_refsource_CONFIRM |
| https://github.com/hyperledger/besu/blob/main/bes… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | besu-native |
Affected:
>= 0.9.0, < 1.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T20:03:45.572863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T20:04:15.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "besu-native",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.0, \u003c 1.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles ALTBN128_ADD (0x06), ALTBN128_MUL (0x07), and ALTBN128_PAIRING (0x08). These precompiles were reimplemented in besu-native using gnark-crypto\u0027s bn254 implementation, as the former implementation used a library which was no longer maintained and not sufficiently performant. The new gnark implementation was initially added in version 0.9.0 of besu-native but was not utilized by Besu until version 0.9.2 in Besu 24.7.1. The issue is that there are EC points which may be crafted which are in the correct subgroup but are not on the curve and the besu-native gnark implementation was relying on subgroup checks to perform point-on-curve checks as well. The version of gnark-crypto used at the time did not do this check when performing subgroup checks. The result is that it was possible for Besu to give an incorrect result and fall out of consensus when executing one of these precompiles against a specially crafted input point. Additionally, homogenous Besu-only networks can potentially enshrine invalid state which would be incorrect and difficult to process with patched versions of besu which handle these calls correctly. The underlying defect has been patched in besu-native release 1.3.0. The fixed version of Besu is version 25.3.0. As a workaround for versions of Besu with the problem, the native precompile for altbn128 may be disabled in favor of the pure-java implementation. The pure java implementation is significantly slower, but does not have this consensus issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-325",
"description": "CWE-325: Missing Cryptographic Step",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T18:27:41.736Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/besu-native/security/advisories/GHSA-jcp8-gh74-97hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/besu-native/security/advisories/GHSA-jcp8-gh74-97hq"
},
{
"name": "https://github.com/hyperledger/besu/blob/main/besu/src/main/java/org/hyperledger/besu/cli/options/NativeLibraryOptions.java#L31-L38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/besu/blob/main/besu/src/main/java/org/hyperledger/besu/cli/options/NativeLibraryOptions.java#L31-L38"
}
],
"source": {
"advisory": "GHSA-jcp8-gh74-97hq",
"discovery": "UNKNOWN"
},
"title": "ALTBN128_ADD, ALTBN128_MUL, ALTBN128_PAIRING precompile functions do not check if points are on curve"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30147",
"datePublished": "2025-05-07T18:27:41.736Z",
"dateReserved": "2025-03-17T12:41:42.565Z",
"dateUpdated": "2025-05-07T20:04:15.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45244 (GCVE-0-2024-45244)
Vulnerability from nvd – Published: 2024-08-25 00:00 – Updated: 2025-10-06 14:30
VLAI
Summary
Hyperledger Fabric through 3.0.0 and 2.5.x through 2.5.9 do not verify that a request has a timestamp within the expected time window.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
0 , ≤ 2.5.9
(custom)
cpe:2.3:a:hyperledger:fabric:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hyperledger:fabric:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"lessThanOrEqual": "2.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T18:56:24.872232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T18:59:02.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric through 3.0.0 and 2.5.x through 2.5.9 do not verify that a request has a timestamp within the expected time window."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T14:30:08.614Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/hyperledger/fabric/commit/155457a6624b3c74b22e5729c35c8499bfe952cd"
},
{
"url": "https://github.com/shanker-sec/HLF_TxTime_spoofing"
},
{
"url": "https://github.com/shanker-sec/hlf-time-oracle"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-45244",
"datePublished": "2024-08-25T00:00:00.000Z",
"dateReserved": "2024-08-25T00:00:00.000Z",
"dateUpdated": "2025-10-06T14:30:08.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22192 (GCVE-0-2024-22192)
Vulnerability from nvd – Published: 2024-01-16 21:44 – Updated: 2025-06-16 19:46
VLAI
Title
Ursa CL-Signatures Revocation allows verifiers to generate unique identifiers for holders
Summary
Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof. The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder presenting a Non-Revocation proof. Ursa has moved to end-of-life status and no fix is expected.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger-archives/ursa/secu… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger-archives | ursa |
Affected:
<= 0.3.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22192",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-14T19:57:42.792215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T19:46:20.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ursa",
"vendor": "hyperledger-archives",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.3.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof. The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder presenting a Non-Revocation proof. Ursa has moved to end-of-life status and no fix is expected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T21:44:53.121Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g"
}
],
"source": {
"advisory": "GHSA-6698-mhxx-r84g",
"discovery": "UNKNOWN"
},
"title": "Ursa CL-Signatures Revocation allows verifiers to generate unique identifiers for holders"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-22192",
"datePublished": "2024-01-16T21:44:53.121Z",
"dateReserved": "2024-01-08T04:59:27.370Z",
"dateUpdated": "2025-06-16T19:46:20.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21670 (GCVE-0-2024-21670)
Vulnerability from nvd – Published: 2024-01-16 21:44 – Updated: 2024-08-01 22:27
VLAI
Title
CL-Signatures Revocation Scheme in Ursa has flaws that allow a holder to demonstrate non-revocation of a revoked credential
Summary
Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. A verifier may verify a credential from a holder as being "not revoked" when in fact, the holder's credential has been revoked. Ursa has moved to end-of-life status and no fix is expected.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger-archives/ursa/secu… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger-archives | ursa |
Affected:
<= 0.3.7
|
|
| hyperledger | ursa |
Affected:
0 , ≤ 0.3.7
(custom)
cpe:2.3:a:hyperledger:ursa:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hyperledger:ursa:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ursa",
"vendor": "hyperledger",
"versions": [
{
"lessThanOrEqual": "0.3.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T20:46:39.280934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:37:45.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.720Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ursa",
"vendor": "hyperledger-archives",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.3.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. A verifier may verify a credential from a holder as being \"not revoked\" when in fact, the holder\u0027s credential has been revoked. Ursa has moved to end-of-life status and no fix is expected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T21:44:05.572Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4"
}
],
"source": {
"advisory": "GHSA-r78f-4q2q-hvv4",
"discovery": "UNKNOWN"
},
"title": "CL-Signatures Revocation Scheme in Ursa has flaws that allow a holder to demonstrate non-revocation of a revoked credential"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21670",
"datePublished": "2024-01-16T21:44:05.572Z",
"dateReserved": "2023-12-29T16:10:20.368Z",
"dateUpdated": "2024-08-01T22:27:35.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31021 (GCVE-0-2022-31021)
Vulnerability from nvd – Published: 2024-01-16 21:35 – Updated: 2025-06-02 15:08
VLAI
Title
Unlinkability broken in ursa when verifiers use malicious keys
Summary
Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key is sufficient to meet the unlinkability guarantees of AnonCreds. The Ursa and AnonCreds CL-Signatures implementations always generate a sufficient private key. A malicious issuer could in theory create a custom CL Signature implementation (derived from the Ursa or AnonCreds CL-Signatures implementations) that uses weakened private keys such that presentations from holders could be shared by verifiers to the issuer who could determine the holder to which the credential was issued. This vulnerability could impact holders of AnonCreds credentials implemented using the CL-signature scheme in the Ursa and AnonCreds implementations of CL Signatures. The ursa project has has moved to end-of-life status and no fix is expected.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/ursa/security/advi… | x_refsource_CONFIRM |
| https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | ursa |
Affected:
<= 0.3.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3"
},
{
"name": "https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31021",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:11:37.077048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:08:17.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ursa",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.3.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key is sufficient to meet the unlinkability guarantees of AnonCreds. The Ursa and AnonCreds CL-Signatures implementations always generate a sufficient private key. A malicious issuer could in theory create a custom CL Signature implementation (derived from the Ursa or AnonCreds CL-Signatures implementations) that uses weakened private keys such that presentations from holders could be shared by verifiers to the issuer who could determine the holder to which the credential was issued. This vulnerability could impact holders of AnonCreds credentials implemented using the CL-signature scheme in the Ursa and AnonCreds implementations of CL Signatures. The ursa project has has moved to end-of-life status and no fix is expected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T21:35:31.306Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3"
},
{
"name": "https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf"
}
],
"source": {
"advisory": "GHSA-2q6j-gqc4-4gw3",
"discovery": "UNKNOWN"
},
"title": "Unlinkability broken in ursa when verifiers use malicious keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31021",
"datePublished": "2024-01-16T21:35:31.306Z",
"dateReserved": "2022-05-18T18:37:25.395Z",
"dateUpdated": "2025-06-02T15:08:17.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21669 (GCVE-0-2024-21669)
Vulnerability from nvd – Published: 2024-01-11 05:40 – Updated: 2025-06-03 14:25
VLAI
Title
Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
Summary
Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.
Severity
9.9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_CONFIRM |
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_MISC |
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_MISC |
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_MISC |
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | aries-cloudagent-python |
Affected:
>= 0.7.0, < 0.10.5
Affected: >= 0.11.0rc1, < 0.11.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21669",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:36:06.145485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:25:18.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "aries-cloudagent-python",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.7.0, \u003c 0.10.5"
},
{
"status": "affected",
"version": "\u003e= 0.11.0rc1, \u003c 0.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T05:40:30.458Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0"
}
],
"source": {
"advisory": "GHSA-97x9-59rv-q5pm",
"discovery": "UNKNOWN"
},
"title": "Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21669",
"datePublished": "2024-01-11T05:40:30.458Z",
"dateReserved": "2023-12-29T16:10:20.368Z",
"dateUpdated": "2025-06-03T14:25:18.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46132 (GCVE-0-2023-46132)
Vulnerability from nvd – Published: 2023-11-14 20:23 – Updated: 2024-08-29 20:19
VLAI
Title
Crosslinking transaction attack in hyperledger/fabric
Summary
Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the peers parse the transactions. If a first peer receives a block B and a second peer receives a block identical to B but with the transactions being cross-linked, the second peer will parse transactions in a different way and thus its world state will deviate from the first peer. Orderers or peers cannot detect that a block has its transactions cross-linked, because there is a vulnerability in the way Fabric hashes the transactions of blocks. It simply and naively concatenates them, which is insecure and lets an adversary craft a "cross-linked block" (block with cross-linked transactions) which alters the way peers process transactions. For example, it is possible to select a transaction and manipulate a peer to completely avoid processing it, without changing the computed hash of the block. Additional validations have been added in v2.2.14 and v2.5.5 to detect potential cross-linking issues before processing blocks. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger/fabric/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
>= 1.0.0, < 2.2.14
Affected: >= 2.3.0, < 2.5.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.905Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T20:19:34.464828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T20:19:53.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 2.2.14"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called \"cross-linking\" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the peers parse the transactions. If a first peer receives a block B and a second peer receives a block identical to B but with the transactions being cross-linked, the second peer will parse transactions in a different way and thus its world state will deviate from the first peer. Orderers or peers cannot detect that a block has its transactions cross-linked, because there is a vulnerability in the way Fabric hashes the transactions of blocks. It simply and naively concatenates them, which is insecure and lets an adversary craft a \"cross-linked block\" (block with cross-linked transactions) which alters the way peers process transactions. For example, it is possible to select a transaction and manipulate a peer to completely avoid processing it, without changing the computed hash of the block. Additional validations have been added in v2.2.14 and v2.5.5 to detect potential cross-linking issues before processing blocks. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T20:23:15.643Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m"
}
],
"source": {
"advisory": "GHSA-v9w2-543f-h69m",
"discovery": "UNKNOWN"
},
"title": "Crosslinking transaction attack in hyperledger/fabric"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46132",
"datePublished": "2023-11-14T20:23:15.643Z",
"dateReserved": "2023-10-16T17:51:35.573Z",
"dateUpdated": "2024-08-29T20:19:53.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45196 (GCVE-0-2022-45196)
Vulnerability from nvd – Published: 2022-11-12 00:00 – Updated: 2025-05-01 18:59
VLAI
Summary
Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-670 - Always-Incorrect Control Flow Implementation
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:56.576Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/SmartBFT-Go/fabric/issues/286"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/pull/2934"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T18:59:08.268180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "CWE-670 Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T18:59:54.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-12T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/SmartBFT-Go/fabric/issues/286"
},
{
"url": "https://github.com/hyperledger/fabric/pull/2934"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45196",
"datePublished": "2022-11-12T00:00:00.000Z",
"dateReserved": "2022-11-12T00:00:00.000Z",
"dateUpdated": "2025-05-01T18:59:54.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36025 (GCVE-0-2022-36025)
Vulnerability from nvd – Published: 2022-09-24 02:00 – Updated: 2025-04-23 16:55
VLAI
Title
Incorrect Conversion between Numeric Types in Besu Ethereum Client
Summary
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger/besu/security/advi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | besu |
Affected:
> 22.1.3, < 22.7.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:51:08.380684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:55:35.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "besu",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e 22.1.3, \u003c 22.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-681",
"description": "CWE-681: Incorrect Conversion between Numeric Types",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-196",
"description": "CWE-196: Unsigned to Signed Conversion Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-24T02:00:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
],
"source": {
"advisory": "GHSA-4456-w38r-m53x",
"discovery": "UNKNOWN"
},
"title": "Incorrect Conversion between Numeric Types in Besu Ethereum Client",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36025",
"STATE": "PUBLIC",
"TITLE": "Incorrect Conversion between Numeric Types in Besu Ethereum Client"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "besu",
"version": {
"version_data": [
{
"version_value": "\u003e 22.1.3, \u003c 22.7.1"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-681: Incorrect Conversion between Numeric Types"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-196: Unsigned to Signed Conversion Error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
]
},
"source": {
"advisory": "GHSA-4456-w38r-m53x",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36025",
"datePublished": "2022-09-24T02:00:13.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:55:35.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31006 (GCVE-0-2022-31006)
Vulnerability from nvd – Published: 2022-09-09 19:10 – Updated: 2025-04-23 17:12
VLAI
Title
Hyperledger Indy DOS vulnerability
Summary
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network's expected users. The guidance to network operators for the use of firewall rules in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks. The mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/indy-node/security… | x_refsource_CONFIRM |
| https://github.com/hyperledger/indy-node/commit/5… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | indy-node |
Affected:
<= 1.12.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31006",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:51:41.223725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:12:25.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "indy-node",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.12.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network\u0027s expected users. The guidance to network operators for the use of firewall rules in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks. The mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T19:10:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3"
}
],
"source": {
"advisory": "GHSA-x996-7qh9-7ff7",
"discovery": "UNKNOWN"
},
"title": "Hyperledger Indy DOS vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31006",
"STATE": "PUBLIC",
"TITLE": "Hyperledger Indy DOS vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "indy-node",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.12.6"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network\u0027s expected users. The guidance to network operators for the use of firewall rules in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks. The mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7"
},
{
"name": "https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3",
"refsource": "MISC",
"url": "https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3"
}
]
},
"source": {
"advisory": "GHSA-x996-7qh9-7ff7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31006",
"datePublished": "2022-09-09T19:10:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:12:25.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31020 (GCVE-0-2022-31020)
Vulnerability from nvd – Published: 2022-09-06 16:30 – Updated: 2025-04-23 17:14
VLAI
Title
Remote code execution in Indy's NODE_UPGRADE transaction
Summary
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/indy-node/security… | x_refsource_CONFIRM |
| https://github.com/hyperledger/indy-node/commit/f… | x_refsource_MISC |
| https://github.com/hyperledger/indy-node/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | indy-node |
Affected:
<= 1.12.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/releases/tag/v1.12.5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:49:58.564323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:14:59.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "indy-node",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.12.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-06T16:30:19.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/indy-node/releases/tag/v1.12.5"
}
],
"source": {
"advisory": "GHSA-r6v9-p59m-gj2p",
"discovery": "UNKNOWN"
},
"title": "Remote code execution in Indy\u0027s NODE_UPGRADE transaction",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31020",
"STATE": "PUBLIC",
"TITLE": "Remote code execution in Indy\u0027s NODE_UPGRADE transaction"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "indy-node",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.12.4"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p"
},
{
"name": "https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5",
"refsource": "MISC",
"url": "https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5"
},
{
"name": "https://github.com/hyperledger/indy-node/releases/tag/v1.12.5",
"refsource": "MISC",
"url": "https://github.com/hyperledger/indy-node/releases/tag/v1.12.5"
}
]
},
"source": {
"advisory": "GHSA-r6v9-p59m-gj2p",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31020",
"datePublished": "2022-09-06T16:30:19.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:14:59.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36023 (GCVE-0-2022-36023)
Vulnerability from nvd – Published: 2022-08-18 00:00 – Updated: 2025-04-23 17:49
VLAI
Title
Remote denial of service in Hyperledger Fabric Gateway
Summary
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway request and returns an error to the gateway client. There are no known workarounds, users must upgrade to version 2.4.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
< 2.4.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-qj6r-fhrc-jj5r"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/pull/3572"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/pull/3576"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/pull/3577"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:02:07.600461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:49:14.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway request and returns an error to the gateway client. There are no known workarounds, users must upgrade to version 2.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-qj6r-fhrc-jj5r"
},
{
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.6"
},
{
"url": "https://github.com/hyperledger/fabric/pull/3572"
},
{
"url": "https://github.com/hyperledger/fabric/pull/3576"
},
{
"url": "https://github.com/hyperledger/fabric/pull/3577"
}
],
"source": {
"advisory": "GHSA-qj6r-fhrc-jj5r",
"discovery": "UNKNOWN"
},
"title": "Remote denial of service in Hyperledger Fabric Gateway"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36023",
"datePublished": "2022-08-18T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:49:14.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31121 (GCVE-0-2022-31121)
Vulnerability from nvd – Published: 2022-07-07 18:00 – Updated: 2025-04-23 18:04
VLAI
Title
Improper Input Validation in fabric hyperledger
Summary
Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/fabric/security/ad… | x_refsource_CONFIRM |
| https://github.com/hyperledger/fabric/commit/0f18… | x_refsource_MISC |
| https://github.com/hyperledger/fabric/releases/ta… | x_refsource_MISC |
| https://github.com/hyperledger/fabric/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
< 2.2.7
Affected: >= 2.3.0, < 2.4.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-72x4-cq6r-jp4p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/commit/0f18359493bcbd5f9f9d1a9b05adabfe5da23b06"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.2.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:53:35.998266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:04:03.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.7"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-07T18:00:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-72x4-cq6r-jp4p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/fabric/commit/0f18359493bcbd5f9f9d1a9b05adabfe5da23b06"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.2.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.5"
}
],
"source": {
"advisory": "GHSA-72x4-cq6r-jp4p",
"discovery": "UNKNOWN"
},
"title": "Improper Input Validation in fabric hyperledger",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31121",
"STATE": "PUBLIC",
"TITLE": "Improper Input Validation in fabric hyperledger"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fabric",
"version": {
"version_data": [
{
"version_value": "\u003c 2.2.7"
},
{
"version_value": "\u003e= 2.3.0, \u003c 2.4.5"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/fabric/security/advisories/GHSA-72x4-cq6r-jp4p",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-72x4-cq6r-jp4p"
},
{
"name": "https://github.com/hyperledger/fabric/commit/0f18359493bcbd5f9f9d1a9b05adabfe5da23b06",
"refsource": "MISC",
"url": "https://github.com/hyperledger/fabric/commit/0f18359493bcbd5f9f9d1a9b05adabfe5da23b06"
},
{
"name": "https://github.com/hyperledger/fabric/releases/tag/v2.2.7",
"refsource": "MISC",
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.2.7"
},
{
"name": "https://github.com/hyperledger/fabric/releases/tag/v2.4.5",
"refsource": "MISC",
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.5"
}
]
},
"source": {
"advisory": "GHSA-72x4-cq6r-jp4p",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31121",
"datePublished": "2022-07-07T18:00:14.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:04:03.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-45581 (GCVE-0-2026-45581)
Vulnerability from cvelistv5 – Published: 2026-06-08 16:53 – Updated: 2026-06-09 15:51
VLAI
Title
fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode
Summary
fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger/fabric-chaincode-j… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric-chaincode-java |
Affected:
>= 2.3.1, < 2.5.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T15:50:52.027913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:51:04.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric-chaincode-java",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3.1, \u003c 2.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:53:45.829Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/fabric-chaincode-java/security/advisories/GHSA-wg5x-3g47-v38r"
}
],
"source": {
"advisory": "GHSA-wg5x-3g47-v38r",
"discovery": "UNKNOWN"
},
"title": "fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45581",
"datePublished": "2026-06-08T16:53:45.829Z",
"dateReserved": "2026-05-12T19:00:14.601Z",
"dateUpdated": "2026-06-09T15:51:04.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41586 (GCVE-0-2026-41586)
Vulnerability from cvelistv5 – Published: 2026-05-07 05:12 – Updated: 2026-05-07 14:57
VLAI
Title
ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE
Summary
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/fabric/security/ad… | x_refsource_CONFIRM |
| https://hyperledger.github.io/fabric-gateway | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
>= 1.0.0, <= 2.2.26
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41586",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:13:37.345609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:57:52.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 2.2.26"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T05:12:35.666Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7"
},
{
"name": "https://hyperledger.github.io/fabric-gateway",
"tags": [
"x_refsource_MISC"
],
"url": "https://hyperledger.github.io/fabric-gateway"
}
],
"source": {
"advisory": "GHSA-prf8-cf2x-rhx7",
"discovery": "UNKNOWN"
},
"title": "ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41586",
"datePublished": "2026-05-07T05:12:35.666Z",
"dateReserved": "2026-04-21T14:15:21.959Z",
"dateUpdated": "2026-05-07T14:57:52.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30147 (GCVE-0-2025-30147)
Vulnerability from cvelistv5 – Published: 2025-05-07 18:27 – Updated: 2025-05-07 20:04
VLAI
Title
ALTBN128_ADD, ALTBN128_MUL, ALTBN128_PAIRING precompile functions do not check if points are on curve
Summary
Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles ALTBN128_ADD (0x06), ALTBN128_MUL (0x07), and ALTBN128_PAIRING (0x08). These precompiles were reimplemented in besu-native using gnark-crypto's bn254 implementation, as the former implementation used a library which was no longer maintained and not sufficiently performant. The new gnark implementation was initially added in version 0.9.0 of besu-native but was not utilized by Besu until version 0.9.2 in Besu 24.7.1. The issue is that there are EC points which may be crafted which are in the correct subgroup but are not on the curve and the besu-native gnark implementation was relying on subgroup checks to perform point-on-curve checks as well. The version of gnark-crypto used at the time did not do this check when performing subgroup checks. The result is that it was possible for Besu to give an incorrect result and fall out of consensus when executing one of these precompiles against a specially crafted input point. Additionally, homogenous Besu-only networks can potentially enshrine invalid state which would be incorrect and difficult to process with patched versions of besu which handle these calls correctly. The underlying defect has been patched in besu-native release 1.3.0. The fixed version of Besu is version 25.3.0. As a workaround for versions of Besu with the problem, the native precompile for altbn128 may be disabled in favor of the pure-java implementation. The pure java implementation is significantly slower, but does not have this consensus issue.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-325 - Missing Cryptographic Step
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/besu-native/securi… | x_refsource_CONFIRM |
| https://github.com/hyperledger/besu/blob/main/bes… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | besu-native |
Affected:
>= 0.9.0, < 1.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T20:03:45.572863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T20:04:15.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "besu-native",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.9.0, \u003c 1.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles ALTBN128_ADD (0x06), ALTBN128_MUL (0x07), and ALTBN128_PAIRING (0x08). These precompiles were reimplemented in besu-native using gnark-crypto\u0027s bn254 implementation, as the former implementation used a library which was no longer maintained and not sufficiently performant. The new gnark implementation was initially added in version 0.9.0 of besu-native but was not utilized by Besu until version 0.9.2 in Besu 24.7.1. The issue is that there are EC points which may be crafted which are in the correct subgroup but are not on the curve and the besu-native gnark implementation was relying on subgroup checks to perform point-on-curve checks as well. The version of gnark-crypto used at the time did not do this check when performing subgroup checks. The result is that it was possible for Besu to give an incorrect result and fall out of consensus when executing one of these precompiles against a specially crafted input point. Additionally, homogenous Besu-only networks can potentially enshrine invalid state which would be incorrect and difficult to process with patched versions of besu which handle these calls correctly. The underlying defect has been patched in besu-native release 1.3.0. The fixed version of Besu is version 25.3.0. As a workaround for versions of Besu with the problem, the native precompile for altbn128 may be disabled in favor of the pure-java implementation. The pure java implementation is significantly slower, but does not have this consensus issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-325",
"description": "CWE-325: Missing Cryptographic Step",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T18:27:41.736Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/besu-native/security/advisories/GHSA-jcp8-gh74-97hq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/besu-native/security/advisories/GHSA-jcp8-gh74-97hq"
},
{
"name": "https://github.com/hyperledger/besu/blob/main/besu/src/main/java/org/hyperledger/besu/cli/options/NativeLibraryOptions.java#L31-L38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/besu/blob/main/besu/src/main/java/org/hyperledger/besu/cli/options/NativeLibraryOptions.java#L31-L38"
}
],
"source": {
"advisory": "GHSA-jcp8-gh74-97hq",
"discovery": "UNKNOWN"
},
"title": "ALTBN128_ADD, ALTBN128_MUL, ALTBN128_PAIRING precompile functions do not check if points are on curve"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30147",
"datePublished": "2025-05-07T18:27:41.736Z",
"dateReserved": "2025-03-17T12:41:42.565Z",
"dateUpdated": "2025-05-07T20:04:15.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45244 (GCVE-0-2024-45244)
Vulnerability from cvelistv5 – Published: 2024-08-25 00:00 – Updated: 2025-10-06 14:30
VLAI
Summary
Hyperledger Fabric through 3.0.0 and 2.5.x through 2.5.9 do not verify that a request has a timestamp within the expected time window.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
0 , ≤ 2.5.9
(custom)
cpe:2.3:a:hyperledger:fabric:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hyperledger:fabric:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"lessThanOrEqual": "2.5.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T18:56:24.872232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-30T18:59:02.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric through 3.0.0 and 2.5.x through 2.5.9 do not verify that a request has a timestamp within the expected time window."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T14:30:08.614Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/hyperledger/fabric/commit/155457a6624b3c74b22e5729c35c8499bfe952cd"
},
{
"url": "https://github.com/shanker-sec/HLF_TxTime_spoofing"
},
{
"url": "https://github.com/shanker-sec/hlf-time-oracle"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-45244",
"datePublished": "2024-08-25T00:00:00.000Z",
"dateReserved": "2024-08-25T00:00:00.000Z",
"dateUpdated": "2025-10-06T14:30:08.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22192 (GCVE-0-2024-22192)
Vulnerability from cvelistv5 – Published: 2024-01-16 21:44 – Updated: 2025-06-16 19:46
VLAI
Title
Ursa CL-Signatures Revocation allows verifiers to generate unique identifiers for holders
Summary
Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof. The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder presenting a Non-Revocation proof. Ursa has moved to end-of-life status and no fix is expected.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger-archives/ursa/secu… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger-archives | ursa |
Affected:
<= 0.3.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22192",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-14T19:57:42.792215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T19:46:20.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ursa",
"vendor": "hyperledger-archives",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.3.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof. The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder presenting a Non-Revocation proof. Ursa has moved to end-of-life status and no fix is expected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T21:44:53.121Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g"
}
],
"source": {
"advisory": "GHSA-6698-mhxx-r84g",
"discovery": "UNKNOWN"
},
"title": "Ursa CL-Signatures Revocation allows verifiers to generate unique identifiers for holders"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-22192",
"datePublished": "2024-01-16T21:44:53.121Z",
"dateReserved": "2024-01-08T04:59:27.370Z",
"dateUpdated": "2025-06-16T19:46:20.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21670 (GCVE-0-2024-21670)
Vulnerability from cvelistv5 – Published: 2024-01-16 21:44 – Updated: 2024-08-01 22:27
VLAI
Title
CL-Signatures Revocation Scheme in Ursa has flaws that allow a holder to demonstrate non-revocation of a revoked credential
Summary
Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. A verifier may verify a credential from a holder as being "not revoked" when in fact, the holder's credential has been revoked. Ursa has moved to end-of-life status and no fix is expected.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger-archives/ursa/secu… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger-archives | ursa |
Affected:
<= 0.3.7
|
|
| hyperledger | ursa |
Affected:
0 , ≤ 0.3.7
(custom)
cpe:2.3:a:hyperledger:ursa:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hyperledger:ursa:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ursa",
"vendor": "hyperledger",
"versions": [
{
"lessThanOrEqual": "0.3.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T20:46:39.280934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:37:45.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.720Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ursa",
"vendor": "hyperledger-archives",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.3.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. A verifier may verify a credential from a holder as being \"not revoked\" when in fact, the holder\u0027s credential has been revoked. Ursa has moved to end-of-life status and no fix is expected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T21:44:05.572Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4"
}
],
"source": {
"advisory": "GHSA-r78f-4q2q-hvv4",
"discovery": "UNKNOWN"
},
"title": "CL-Signatures Revocation Scheme in Ursa has flaws that allow a holder to demonstrate non-revocation of a revoked credential"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21670",
"datePublished": "2024-01-16T21:44:05.572Z",
"dateReserved": "2023-12-29T16:10:20.368Z",
"dateUpdated": "2024-08-01T22:27:35.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31021 (GCVE-0-2022-31021)
Vulnerability from cvelistv5 – Published: 2024-01-16 21:35 – Updated: 2025-06-02 15:08
VLAI
Title
Unlinkability broken in ursa when verifiers use malicious keys
Summary
Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key is sufficient to meet the unlinkability guarantees of AnonCreds. The Ursa and AnonCreds CL-Signatures implementations always generate a sufficient private key. A malicious issuer could in theory create a custom CL Signature implementation (derived from the Ursa or AnonCreds CL-Signatures implementations) that uses weakened private keys such that presentations from holders could be shared by verifiers to the issuer who could determine the holder to which the credential was issued. This vulnerability could impact holders of AnonCreds credentials implemented using the CL-signature scheme in the Ursa and AnonCreds implementations of CL Signatures. The ursa project has has moved to end-of-life status and no fix is expected.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/ursa/security/advi… | x_refsource_CONFIRM |
| https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | ursa |
Affected:
<= 0.3.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3"
},
{
"name": "https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31021",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:11:37.077048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:08:17.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ursa",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.3.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key is sufficient to meet the unlinkability guarantees of AnonCreds. The Ursa and AnonCreds CL-Signatures implementations always generate a sufficient private key. A malicious issuer could in theory create a custom CL Signature implementation (derived from the Ursa or AnonCreds CL-Signatures implementations) that uses weakened private keys such that presentations from holders could be shared by verifiers to the issuer who could determine the holder to which the credential was issued. This vulnerability could impact holders of AnonCreds credentials implemented using the CL-signature scheme in the Ursa and AnonCreds implementations of CL Signatures. The ursa project has has moved to end-of-life status and no fix is expected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T21:35:31.306Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3"
},
{
"name": "https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf"
}
],
"source": {
"advisory": "GHSA-2q6j-gqc4-4gw3",
"discovery": "UNKNOWN"
},
"title": "Unlinkability broken in ursa when verifiers use malicious keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31021",
"datePublished": "2024-01-16T21:35:31.306Z",
"dateReserved": "2022-05-18T18:37:25.395Z",
"dateUpdated": "2025-06-02T15:08:17.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21669 (GCVE-0-2024-21669)
Vulnerability from cvelistv5 – Published: 2024-01-11 05:40 – Updated: 2025-06-03 14:25
VLAI
Title
Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
Summary
Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.
Severity
9.9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_CONFIRM |
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_MISC |
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_MISC |
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_MISC |
| https://github.com/hyperledger/aries-cloudagent-p… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | aries-cloudagent-python |
Affected:
>= 0.7.0, < 0.10.5
Affected: >= 0.11.0rc1, < 0.11.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.172Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21669",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:36:06.145485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:25:18.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "aries-cloudagent-python",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.7.0, \u003c 0.10.5"
},
{
"status": "affected",
"version": "\u003e= 0.11.0rc1, \u003c 0.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T05:40:30.458Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5"
},
{
"name": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0"
}
],
"source": {
"advisory": "GHSA-97x9-59rv-q5pm",
"discovery": "UNKNOWN"
},
"title": "Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21669",
"datePublished": "2024-01-11T05:40:30.458Z",
"dateReserved": "2023-12-29T16:10:20.368Z",
"dateUpdated": "2025-06-03T14:25:18.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46132 (GCVE-0-2023-46132)
Vulnerability from cvelistv5 – Published: 2023-11-14 20:23 – Updated: 2024-08-29 20:19
VLAI
Title
Crosslinking transaction attack in hyperledger/fabric
Summary
Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the peers parse the transactions. If a first peer receives a block B and a second peer receives a block identical to B but with the transactions being cross-linked, the second peer will parse transactions in a different way and thus its world state will deviate from the first peer. Orderers or peers cannot detect that a block has its transactions cross-linked, because there is a vulnerability in the way Fabric hashes the transactions of blocks. It simply and naively concatenates them, which is insecure and lets an adversary craft a "cross-linked block" (block with cross-linked transactions) which alters the way peers process transactions. For example, it is possible to select a transaction and manipulate a peer to completely avoid processing it, without changing the computed hash of the block. Additional validations have been added in v2.2.14 and v2.5.5 to detect potential cross-linking issues before processing blocks. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger/fabric/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
>= 1.0.0, < 2.2.14
Affected: >= 2.3.0, < 2.5.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.905Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T20:19:34.464828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T20:19:53.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 2.2.14"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called \"cross-linking\" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the peers parse the transactions. If a first peer receives a block B and a second peer receives a block identical to B but with the transactions being cross-linked, the second peer will parse transactions in a different way and thus its world state will deviate from the first peer. Orderers or peers cannot detect that a block has its transactions cross-linked, because there is a vulnerability in the way Fabric hashes the transactions of blocks. It simply and naively concatenates them, which is insecure and lets an adversary craft a \"cross-linked block\" (block with cross-linked transactions) which alters the way peers process transactions. For example, it is possible to select a transaction and manipulate a peer to completely avoid processing it, without changing the computed hash of the block. Additional validations have been added in v2.2.14 and v2.5.5 to detect potential cross-linking issues before processing blocks. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-14T20:23:15.643Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m"
}
],
"source": {
"advisory": "GHSA-v9w2-543f-h69m",
"discovery": "UNKNOWN"
},
"title": "Crosslinking transaction attack in hyperledger/fabric"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46132",
"datePublished": "2023-11-14T20:23:15.643Z",
"dateReserved": "2023-10-16T17:51:35.573Z",
"dateUpdated": "2024-08-29T20:19:53.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45196 (GCVE-0-2022-45196)
Vulnerability from cvelistv5 – Published: 2022-11-12 00:00 – Updated: 2025-05-01 18:59
VLAI
Summary
Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-670 - Always-Incorrect Control Flow Implementation
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:56.576Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/SmartBFT-Go/fabric/issues/286"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/pull/2934"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T18:59:08.268180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "CWE-670 Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T18:59:54.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a crafted channel tx with the same Channel name. NOTE: the official Fabric with Raft prevents exploitation via a locking mechanism and a check for names that already exist."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-12T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/SmartBFT-Go/fabric/issues/286"
},
{
"url": "https://github.com/hyperledger/fabric/pull/2934"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45196",
"datePublished": "2022-11-12T00:00:00.000Z",
"dateReserved": "2022-11-12T00:00:00.000Z",
"dateUpdated": "2025-05-01T18:59:54.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36025 (GCVE-0-2022-36025)
Vulnerability from cvelistv5 – Published: 2022-09-24 02:00 – Updated: 2025-04-23 16:55
VLAI
Title
Incorrect Conversion between Numeric Types in Besu Ethereum Client
Summary
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hyperledger/besu/security/advi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | besu |
Affected:
> 22.1.3, < 22.7.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:51:08.380684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:55:35.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "besu",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003e 22.1.3, \u003c 22.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-681",
"description": "CWE-681: Incorrect Conversion between Numeric Types",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-196",
"description": "CWE-196: Unsigned to Signed Conversion Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-24T02:00:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
],
"source": {
"advisory": "GHSA-4456-w38r-m53x",
"discovery": "UNKNOWN"
},
"title": "Incorrect Conversion between Numeric Types in Besu Ethereum Client",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36025",
"STATE": "PUBLIC",
"TITLE": "Incorrect Conversion between Numeric Types in Besu Ethereum Client"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "besu",
"version": {
"version_data": [
{
"version_value": "\u003e 22.1.3, \u003c 22.7.1"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incorrect gas being passed into called contracts and incorrect gas being returned after call execution. Where the amount of gas makes a difference in the success or failure, or if the gas is a negative 64 bit value, the execution will result in a different state root than expected, resulting in a consensus failure in networks with multiple EVM implementations. In networks with a single EVM implementation this can be used to execute with significantly more gas than then transaction requested, possibly exceeding gas limitations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-681: Incorrect Conversion between Numeric Types"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-196: Unsigned to Signed Conversion Error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/besu/security/advisories/GHSA-4456-w38r-m53x"
}
]
},
"source": {
"advisory": "GHSA-4456-w38r-m53x",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36025",
"datePublished": "2022-09-24T02:00:13.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:55:35.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31006 (GCVE-0-2022-31006)
Vulnerability from cvelistv5 – Published: 2022-09-09 19:10 – Updated: 2025-04-23 17:12
VLAI
Title
Hyperledger Indy DOS vulnerability
Summary
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network's expected users. The guidance to network operators for the use of firewall rules in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks. The mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/indy-node/security… | x_refsource_CONFIRM |
| https://github.com/hyperledger/indy-node/commit/5… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | indy-node |
Affected:
<= 1.12.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.302Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31006",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:51:41.223725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:12:25.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "indy-node",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.12.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network\u0027s expected users. The guidance to network operators for the use of firewall rules in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks. The mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T19:10:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3"
}
],
"source": {
"advisory": "GHSA-x996-7qh9-7ff7",
"discovery": "UNKNOWN"
},
"title": "Hyperledger Indy DOS vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31006",
"STATE": "PUBLIC",
"TITLE": "Hyperledger Indy DOS vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "indy-node",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.12.6"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network\u0027s expected users. The guidance to network operators for the use of firewall rules in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks. The mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7"
},
{
"name": "https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3",
"refsource": "MISC",
"url": "https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3"
}
]
},
"source": {
"advisory": "GHSA-x996-7qh9-7ff7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31006",
"datePublished": "2022-09-09T19:10:10.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:12:25.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31020 (GCVE-0-2022-31020)
Vulnerability from cvelistv5 – Published: 2022-09-06 16:30 – Updated: 2025-04-23 17:14
VLAI
Title
Remote code execution in Indy's NODE_UPGRADE transaction
Summary
Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/indy-node/security… | x_refsource_CONFIRM |
| https://github.com/hyperledger/indy-node/commit/f… | x_refsource_MISC |
| https://github.com/hyperledger/indy-node/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | indy-node |
Affected:
<= 1.12.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/indy-node/releases/tag/v1.12.5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:49:58.564323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:14:59.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "indy-node",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.12.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-06T16:30:19.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/indy-node/releases/tag/v1.12.5"
}
],
"source": {
"advisory": "GHSA-r6v9-p59m-gj2p",
"discovery": "UNKNOWN"
},
"title": "Remote code execution in Indy\u0027s NODE_UPGRADE transaction",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31020",
"STATE": "PUBLIC",
"TITLE": "Remote code execution in Indy\u0027s NODE_UPGRADE transaction"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "indy-node",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.12.4"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p"
},
{
"name": "https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5",
"refsource": "MISC",
"url": "https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5"
},
{
"name": "https://github.com/hyperledger/indy-node/releases/tag/v1.12.5",
"refsource": "MISC",
"url": "https://github.com/hyperledger/indy-node/releases/tag/v1.12.5"
}
]
},
"source": {
"advisory": "GHSA-r6v9-p59m-gj2p",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31020",
"datePublished": "2022-09-06T16:30:19.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:14:59.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36023 (GCVE-0-2022-36023)
Vulnerability from cvelistv5 – Published: 2022-08-18 00:00 – Updated: 2025-04-23 17:49
VLAI
Title
Remote denial of service in Hyperledger Fabric Gateway
Summary
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway request and returns an error to the gateway client. There are no known workarounds, users must upgrade to version 2.4.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
< 2.4.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-qj6r-fhrc-jj5r"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/pull/3572"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/pull/3576"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/pull/3577"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:02:07.600461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:49:14.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway request and returns an error to the gateway client. There are no known workarounds, users must upgrade to version 2.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-qj6r-fhrc-jj5r"
},
{
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.6"
},
{
"url": "https://github.com/hyperledger/fabric/pull/3572"
},
{
"url": "https://github.com/hyperledger/fabric/pull/3576"
},
{
"url": "https://github.com/hyperledger/fabric/pull/3577"
}
],
"source": {
"advisory": "GHSA-qj6r-fhrc-jj5r",
"discovery": "UNKNOWN"
},
"title": "Remote denial of service in Hyperledger Fabric Gateway"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36023",
"datePublished": "2022-08-18T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:49:14.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31121 (GCVE-0-2022-31121)
Vulnerability from cvelistv5 – Published: 2022-07-07 18:00 – Updated: 2025-04-23 18:04
VLAI
Title
Improper Input Validation in fabric hyperledger
Summary
Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/hyperledger/fabric/security/ad… | x_refsource_CONFIRM |
| https://github.com/hyperledger/fabric/commit/0f18… | x_refsource_MISC |
| https://github.com/hyperledger/fabric/releases/ta… | x_refsource_MISC |
| https://github.com/hyperledger/fabric/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hyperledger | fabric |
Affected:
< 2.2.7
Affected: >= 2.3.0, < 2.4.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-72x4-cq6r-jp4p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/commit/0f18359493bcbd5f9f9d1a9b05adabfe5da23b06"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.2.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:53:35.998266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:04:03.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fabric",
"vendor": "hyperledger",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.7"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-07T18:00:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-72x4-cq6r-jp4p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/fabric/commit/0f18359493bcbd5f9f9d1a9b05adabfe5da23b06"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.2.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.5"
}
],
"source": {
"advisory": "GHSA-72x4-cq6r-jp4p",
"discovery": "UNKNOWN"
},
"title": "Improper Input Validation in fabric hyperledger",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31121",
"STATE": "PUBLIC",
"TITLE": "Improper Input Validation in fabric hyperledger"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fabric",
"version": {
"version_data": [
{
"version_value": "\u003c 2.2.7"
},
{
"version_value": "\u003e= 2.3.0, \u003c 2.4.5"
}
]
}
}
]
},
"vendor_name": "hyperledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client sends a malformed consensus request to an orderer it may crash the orderer node. A fix has been added in commit 0f1835949 which checks for missing consensus messages and returns an error to the consensus client should the message be missing. Users are advised to upgrade to versions 2.2.7 or v2.4.5. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hyperledger/fabric/security/advisories/GHSA-72x4-cq6r-jp4p",
"refsource": "CONFIRM",
"url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-72x4-cq6r-jp4p"
},
{
"name": "https://github.com/hyperledger/fabric/commit/0f18359493bcbd5f9f9d1a9b05adabfe5da23b06",
"refsource": "MISC",
"url": "https://github.com/hyperledger/fabric/commit/0f18359493bcbd5f9f9d1a9b05adabfe5da23b06"
},
{
"name": "https://github.com/hyperledger/fabric/releases/tag/v2.2.7",
"refsource": "MISC",
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.2.7"
},
{
"name": "https://github.com/hyperledger/fabric/releases/tag/v2.4.5",
"refsource": "MISC",
"url": "https://github.com/hyperledger/fabric/releases/tag/v2.4.5"
}
]
},
"source": {
"advisory": "GHSA-72x4-cq6r-jp4p",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31121",
"datePublished": "2022-07-07T18:00:14.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:04:03.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}