| id: GO-2022-1118 |
| modules: |
| - module: github.com/codenotary/immudb |
| versions: |
| - fixed: 1.4.1 |
| vulnerable_at: 1.4.0 |
| packages: |
| - package: github.com/codenotary/immudb/pkg/client |
| symbols: |
| - NewImmuClient |
| - DefaultOptions |
| - immuClient.OpenSession |
| derived_symbols: |
| - NewClient |
| summary: Improper validation of UUIDs in github.com/codenotary/immudb |
| description: |- |
| A malicious server can trick a client into treating it as a different server by |
| changing the reported UUID. |
| |
| immudb client SDKs use the server's UUID to distinguish between different server |
| instance so that the client can connect to different immudb instances and keep |
| the state for multiple servers. The SDK does not validate this UUID and accepts |
| any value reported by the server. A malicious server can therefore change the |
| reported UUID and trick the client into treating it as a different server. |
| cves: |
| - CVE-2022-39199 |
| ghsas: |
| - GHSA-6cqj-6969-p57x |
| references: |
| - advisory: https://github.com/codenotary/immudb/security/advisories/GHSA-6cqj-6969-p57x |
| - fix: https://github.com/codenotary/immudb/commit/cade04756ff3f0a3b9e8d24149062744574adf5d |
| review_status: REVIEWED |