Homepage

ssb-db@20.0.0 vulnerabilities

a secure, replicatable database

  • latest version

    20.4.1

  • latest non vulnerable version

    20.4.1

  • first published

    6 years ago

  • latest version published

    3 years ago

  • licenses detected

  • View ssb-db package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the ssb-db package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Information Exposure

    ssb-db is an a secure, replicatable database

    Affected versions of this package are vulnerable to Information Exposure. The get() method is supposed to only decrypt messages when explicitly asked, however a bug exists where it decrypts any message that it can. This means that it returns the decrypted content of private messages, which a malicious peer could use to get access to private data. This only affects peers who also have private messages, and is only known to be exploitable if you're also running SSB-OOO (default in SSB-Server), which exposes a thin wrapper around get() to anonymous peers.

    How to fix Information Exposure?

    Upgrade ssb-db to version 20.0.1 or higher.

    >=20.0.0 <20.0.1
    Go back to all versions of this package