Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13YzM2LXhnY2Mtandwcs4AArrK
Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`
Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record.
Any combination was considered valid.
This allows an attacker to republish an existing PeerRecord with a different PeerId.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13YzM2LXhnY2Mtandwcs4AArrK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 11 months ago
Identifiers: GHSA-wc36-xgcc-jwpr
References:
- https://github.com/libp2p/rust-libp2p
- https://rustsec.org/advisories/RUSTSEC-2022-0009.html
- https://github.com/advisories/GHSA-wc36-xgcc-jwpr
Blast Radius: 0.0
Affected Packages
cargo:libp2p-core
Dependent packages: 63Dependent repositories: 1,657
Downloads: 5,851,343 total
Affected Version Ranges: >= 0.30.0-rc.1, < 0.30.2
Fixed in: 0.30.2
All affected versions: 0.30.0, 0.30.0-rc.1, 0.30.0-rc.2
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 0.18.0, 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.22.1, 0.23.0, 0.23.1, 0.24.0, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.27.0, 0.27.1, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.29.0, 0.30.2, 0.31.0, 0.31.1, 0.32.0, 0.32.1, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.39.2, 0.40.0, 0.40.1, 0.41.0, 0.41.1, 0.41.2