GO-2022-1118

Source

https://pkg.go.dev/vuln/GO-2022-1118

Import Source

https://vuln.go.dev/ID/GO-2022-1118.json

Aliases

Published

2022-12-22T20:40:16Z

Modified

2023-11-08T04:10:14.687054Z

Details

A malicious server can trick a client into treating it as a different server by changing the reported UUID.

immudb client SDKs use the server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. The SDK does not validate this UUID and accepts any value reported by the server. A malicious server can therefore change the reported UUID and trick the client into treating it as a different server.

References

Affected packages

Go / github.com/codenotary/immudb

Package

Name: github.com/codenotary/immudb

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.4.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/codenotary/immudb/pkg/client",
            "symbols": [
                "DefaultOptions",
                "NewClient",
                "NewImmuClient",
                "immuClient.OpenSession"
            ]
        }
    ]
}