Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZmNXgtdzl3Zy1oMjc1
Holder can generate proof of ownership for credentials it does not control in vp-toolkit
Impact
The verifyVerifiablePresentation() method check the cryptographic integrity of the Verifiable Presentation, but it does not check if the credentialSubject.id DID matches the signer of the VP proof.
The verifier is impacted by this vulnerability.
Patches
Patch will be available in version 0.2.2.
Workarounds
- Compute the address out of the
verifiablePresentation.proof.n.verificationMethodusinggetAddressFromPubKey()from[email protected]and match it with thecredentialSubject.idaddress from the credential.
References
For more information
If you have any questions or comments about this advisory:
- Discuss in the existing issue
- Contact me
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZmNXgtdzl3Zy1oMjc1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: about 2 years ago
Identifiers: GHSA-ff5x-w9wg-h275
References:
- https://github.com/rabobank-blockchain/vp-toolkit/security/advisories/GHSA-ff5x-w9wg-h275
- https://github.com/rabobank-blockchain/vp-toolkit/issues/14
- https://github.com/rabobank-blockchain/vp-toolkit/commit/18a7db84d3265c6ffa10ef63eb37ae1bd4ba192b
- https://github.com/advisories/GHSA-ff5x-w9wg-h275
Blast Radius: 0.0
Affected Packages
npm:vp-toolkit
Dependent packages: 1Dependent repositories: 3
Downloads: 25 last month
Affected Version Ranges: < 0.2.2
Fixed in: 0.2.2
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1
All unaffected versions: 0.2.2, 0.2.3