| modules: |
| - module: github.com/codenotary/immudb |
| versions: |
| - fixed: 1.4.1 |
| vulnerable_at: 1.4.0 |
| packages: |
| - package: github.com/codenotary/immudb/pkg/client |
| symbols: |
| - NewImmuClient |
| - DefaultOptions |
| - immuClient.OpenSession |
| derived_symbols: |
| - NewClient |
| description: | |
| A malicious server can trick a client into treating it as a different |
| server by changing the reported UUID. |
| |
| immudb client SDKs use the server's UUID to distinguish between different |
| server instance so that the client can connect to different immudb |
| instances and keep the state for multiple servers. The SDK does not |
| validate this UUID and accepts any value reported by the server. A |
| malicious server can therefore change the reported UUID and trick the |
| client into treating it as a different server. |
| cves: |
| - CVE-2022-39199 |
| ghsas: |
| - GHSA-6cqj-6969-p57x |
| references: |
| - advisory: https://github.com/codenotary/immudb/security/advisories/GHSA-6cqj-6969-p57x |
| - fix: https://github.com/codenotary/immudb/commit/cade04756ff3f0a3b9e8d24149062744574adf5d |