indy-node@1.10.0.dev1091 vulnerabilities

Indy node

Direct Vulnerabilities

Known vulnerabilities in the indy-node package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Denial of Service (DoS)

indy-node is a package that implements server portion of a distributed ledger purpose-built for decentralized identity.

Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker maxes out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose.

How to fix Denial of Service (DoS)?

A fix was pushed into the master branch but not yet published.

[0,)
  • C
Arbitrary Code Execution

indy-node is a package that implements server portion of a distributed ledger purpose-built for decentralized identity.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the pool-upgrade request handler.

How to fix Arbitrary Code Execution?

Upgrade indy-node to version 1.12.5 or higher.

[,1.12.5)
  • M
Authorization Bypass

indy-node is a package that implements server portion of a distributed ledger purpose-built for decentralized identity.

Affected versions of this package are vulnerable to Authorization Bypass. There is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the ledger. Updating a DID with a nym transaction will be written to the ledger if neither ROLE or VERKEY are being changed, regardless of sender. A malicious DID with no particular role can ask an update for another DID (but cannot modify its verkey or role). This is bad because:

  1. Any DID can write a nym transaction to the ledger (i.e., any DID can spam the ledger with nym transactions)

  2. Any DID can change any other DID's alias

  3. The update transaction modifies the ledger metadata associated with a DID.

How to fix Authorization Bypass?

Upgrade indy-node to version 1.12.4 or higher.

[0,1.12.4)