Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA5NHctNDJnMy1mN2g0
Holder can (re)create authentic credentials after receiving a credential in vp-toolkit
Impact
The verifyVerifiableCredential() method check the cryptographic integrity of the Verifiable Credential, but it does not check if the credential.issuer DID matches the signer of the credential.
The verifier is impacted by this vulnerability.
Patches
Patch will be available in version 0.2.2.
Workarounds
In case you trust certain issuers for certain credentials as a verifier, trust the issuer's public key from the credential.proof.verificationMethod field.
References
For more information
If you have any questions or comments about this advisory:
- Discuss in the existing issue
- Contact me
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA5NHctNDJnMy1mN2g0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 4 years ago
Updated: over 1 year ago
Identifiers: GHSA-p94w-42g3-f7h4
References:
- https://github.com/rabobank-blockchain/vp-toolkit/security/advisories/GHSA-p94w-42g3-f7h4
- https://github.com/rabobank-blockchain/vp-toolkit/issues/13
- https://github.com/rabobank-blockchain/vp-toolkit/commit/6315936d1d7913fd116fa51a0dbbd29d82c0ce17
- https://github.com/advisories/GHSA-p94w-42g3-f7h4
Blast Radius: 0.0
Affected Packages
npm:vp-toolkit
Dependent packages: 1Dependent repositories: 3
Downloads: 109 last month
Affected Version Ranges: < 0.2.2
Fixed in: 0.2.2
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1
All unaffected versions: 0.2.2, 0.2.3