blob: 5249b72d3f6ecd9f4a770314445e11d50402362e [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-1117",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2022-36111",
"GHSA-672p-m5jq-mrh8"
],
"summary": "Insufficient verification of proofs in github.com/codenotary/immudb",
"details": "In certain scenarios, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value.\n\nThis vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability.",
"affected": [
{
"package": {
"name": "github.com/codenotary/immudb",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/codenotary/immudb/pkg/client/auditor",
"symbols": [
"defaultAuditor.Run",
"defaultAuditor.audit"
]
},
{
"path": "github.com/codenotary/immudb/pkg/client",
"symbols": [
"immuClient.SafeGet",
"immuClient.SafeReference",
"immuClient.SafeSet",
"immuClient.SafeZAdd",
"immuClient.StreamVerifiedGet",
"immuClient.StreamVerifiedSet",
"immuClient.VerifiedGet",
"immuClient.VerifiedGetAt",
"immuClient.VerifiedGetAtRevision",
"immuClient.VerifiedGetSince",
"immuClient.VerifiedSet",
"immuClient.VerifiedSetReference",
"immuClient.VerifiedSetReferenceAt",
"immuClient.VerifiedTxByID",
"immuClient.VerifiedZAdd",
"immuClient.VerifiedZAddAt",
"immuClient.VerifyRow",
"immuClient._streamVerifiedGet",
"immuClient._streamVerifiedSet",
"immuClient.verifiedGet"
]
},
{
"path": "github.com/codenotary/immudb/embedded/store",
"symbols": [
"ImmuStore.DualProof",
"VerifyDualProof",
"VerifyLinearProof"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"
},
{
"type": "ARTICLE",
"url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"
},
{
"type": "FIX",
"url": "https://github.com/codenotary/immudb/commit/acf7f1b3d62436ea5e038acea1fc6394f90ab1c6"
},
{
"type": "FIX",
"url": "https://github.com/codenotary/immudb/commit/7267d67e28be8f0257b71d734611a051593e8a81"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-1117"
}
}