RUSTSEC-2022-0009

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2022-0009

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0009.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2022-0009

Aliases

GHSA-wc36-xgcc-jwpr

Published

2022-02-07T12:00:00Z

Modified

2023-11-08T04:23:45.241320Z

Summary

Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`

Details

Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record. Any combination was considered valid.

This allows an attacker to republish an existing PeerRecord with a different PeerId.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / libp2p-core

Package

Name: libp2p-core; View open source insights on deps.dev
Purl: pkg:cargo/libp2p-core

Affected ranges

Type: SEMVER
Events: Introduced

0.30.0-rc.1

Fixed

0.30.2

Introduced

0.31.0-0

Fixed

0.31.1

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "libp2p_core::PeerRecord::from_signed_envelope"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "crypto-failure"
    ]
}