blob: 432f311c83623a31db2292c76a272f7f9770d087 [file] [log] [blame]
id: GO-2022-1118
modules:
- module: github.com/codenotary/immudb
versions:
- fixed: 1.4.1
vulnerable_at: 1.4.0
packages:
- package: github.com/codenotary/immudb/pkg/client
symbols:
- NewImmuClient
- DefaultOptions
- immuClient.OpenSession
derived_symbols:
- NewClient
summary: Improper validation of UUIDs in github.com/codenotary/immudb
description: |-
A malicious server can trick a client into treating it as a different server by
changing the reported UUID.
immudb client SDKs use the server's UUID to distinguish between different server
instance so that the client can connect to different immudb instances and keep
the state for multiple servers. The SDK does not validate this UUID and accepts
any value reported by the server. A malicious server can therefore change the
reported UUID and trick the client into treating it as a different server.
cves:
- CVE-2022-39199
ghsas:
- GHSA-6cqj-6969-p57x
references:
- advisory: https://github.com/codenotary/immudb/security/advisories/GHSA-6cqj-6969-p57x
- fix: https://github.com/codenotary/immudb/commit/cade04756ff3f0a3b9e8d24149062744574adf5d
review_status: REVIEWED