{"id":"PYSEC-2022-265","details":"Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In versions 1.12.4 and prior, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The `pool-upgrade` request handler in Indy-Node 1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded.","aliases":["CVE-2022-31020","GHSA-r6v9-p59m-gj2p"],"modified":"2023-11-08T04:09:22.844035Z","published":"2022-09-06T17:15:00Z","references":[{"type":"FIX","url":"https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5"},{"type":"ADVISORY","url":"https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p"},{"type":"WEB","url":"https://github.com/hyperledger/indy-node/releases/tag/v1.12.5"}],"affected":[{"package":{"name":"indy-node","ecosystem":"PyPI","purl":"pkg:pypi/indy-node"},"ranges":[{"type":"GIT","repo":"https://github.com/hyperledger/indy-node","events":[{"introduced":"0"},{"fixed":"fe507474f77084faef4539101e2bbb4d508a97f5"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12.5rc1"}]}],"versions":["0.0.1.dev38","0.0.1.dev40","0.0.12","0.0.2","0.0.20","0.0.21","0.0.22","0.0.23","0.0.24","0.0.25","0.0.28","0.0.3","0.0.30","0.0.31","0.0.32","0.0.4","0.4.27","1.0.28","1.0.29","1.1.1","1.1.30","1.1.31","1.1.32","1.1.33","1.1.34","1.1.35","1.1.36","1.1.37","1.1.38","1.1.39","1.1.40","1.1.41","1.1.42","1.1.43","1.10.0","1.10.0.dev1070","1.10.0.dev1071","1.10.0.dev1072","1.10.0.dev1073","1.10.0.dev1074","1.10.0.dev1075","1.10.0.dev1076","1.10.0.dev1077","1.10.0.dev1078","1.10.0.dev1079","1.10.0.dev1080","1.10.0.dev1081","1.10.0.dev1082","1.10.0.dev1083","1.10.0.dev1084","1.10.0.dev1085","1.10.0.dev1086","1.10.0.dev1087","1.10.0.dev1088","1.10.0.dev1089","1.10.0.dev1090","1.10.0.dev1091","1.10.0.dev1092","1.10.0.dev1093","1.10.0.dev1094","1.10.0.dev1095","1.10.0.dev1096","1.10.0.dev1097","1.10.0.dev1098","1.10.0rc1","1.11.0","1.11.0.dev1099","1.11.0.dev1100","1.11.0.dev1101","1.11.0.dev1102","1.11.0.dev1103","1.11.0.dev1104","1.11.0.dev1105","1.11.0.dev1106","1.11.0.dev1107","1.11.0.dev1108","1.11.0.dev1109","1.11.0.dev1110","1.11.0.dev1111","1.11.0.dev1112","1.11.0.dev1113","1.11.0.dev1114","1.11.0.dev1115","1.11.0.dev1116","1.11.0.dev1117","1.11.0.dev1118","1.11.0.dev1119","1.11.0.dev1120","1.11.0.dev1121","1.11.0.dev1122","1.11.0.dev1123","1.11.0rc1","1.12.0","1.12.0.dev1124","1.12.0.dev1125","1.12.0.dev1126","1.12.0.dev1127","1.12.0.dev1128","1.12.0.dev1129","1.12.0.dev1130","1.12.0.dev1131","1.12.0.dev1132","1.12.0.dev1133","1.12.0.dev1134","1.12.0.dev1135","1.12.0.dev1136","1.12.0.dev1137","1.12.0.dev1138","1.12.0.dev1139","1.12.0.dev1140","1.12.0.dev1141","1.12.0.dev1142","1.12.0.dev1143","1.12.0.dev1144","1.12.0.dev1145","1.12.0rc1","1.12.1","1.12.1.dev1146","1.12.1.dev1147","1.12.1.dev1148","1.12.1.dev1149","1.12.1.dev1150","1.12.1.dev1151","1.12.1.dev1152","1.12.1.dev1153","1.12.1.dev1154","1.12.1.dev1155","1.12.1.dev1156","1.12.1.dev1157","1.12.1.dev1158","1.12.1.dev1159","1.12.1.dev1160","1.12.1.dev1161","1.12.1.dev1162","1.12.1.dev1163","1.12.1.dev1164","1.12.1.dev1165","1.12.1.dev1166","1.12.1.dev1167","1.12.1.dev1168","1.12.1.dev1169","1.12.1.dev1170","1.12.1.dev1171","1.12.1.dev1172","1.12.1.dev1173","1.12.1.dev1174","1.12.1.dev1175","1.12.1.dev1176","1.12.1.dev1177","1.12.1.dev1178","1.12.1.dev1179","1.12.1rc1","1.12.2","1.12.2.dev1180","1.12.2.dev1181","1.12.2.dev1182","1.12.2.dev1183","1.12.2.dev1184","1.12.2.dev1185","1.12.2.dev1186","1.12.2.dev1187","1.12.2.dev1188","1.12.2.dev1189","1.12.2.dev1190","1.12.2.dev1191","1.12.2.dev1192","1.12.2.dev1193","1.12.2.dev1194","1.12.2.dev1195","1.12.2rc1","1.12.3","1.12.3rc1","1.12.4","1.12.4rc1","1.2.44","1.2.45","1.2.46","1.2.47","1.2.48","1.2.49","1.2.50","1.3.51","1.3.52","1.3.53","1.3.54","1.3.55","1.3.56","1.3.57","1.3.58","1.3.59","1.3.60","1.3.61","1.3.62","1.4.63","1.4.64","1.4.65","1.4.66","1.5.67","1.5.68","1.6.69","1.6.70","1.6.71","1.6.72","1.6.73","1.6.74","1.6.75","1.6.76","1.6.77","1.6.78","1.6.79","1.6.80","1.6.81","1.6.82","1.6.83","1.7.0","1.7.0.dev878","1.7.0.dev879","1.7.0.dev880","1.7.0.dev881","1.7.0.dev882","1.7.0.dev883","1.7.0.dev884","1.7.0.dev885","1.7.0.dev886","1.7.0.dev887","1.7.0.dev888","1.7.0.dev889","1.7.0.dev890","1.7.0.dev891","1.7.0.dev892","1.7.0.dev893","1.7.0.dev894","1.7.0.dev895","1.7.0.dev896","1.7.0.dev897","1.7.0.dev898","1.7.0.dev899","1.7.0.dev900","1.7.0.dev901","1.7.0.dev902","1.7.0.dev903","1.7.0.dev904","1.7.0.dev905","1.7.0.dev906","1.7.0.dev907","1.7.0.dev908","1.7.0.dev909","1.7.0.dev910","1.7.0.dev911","1.7.0.dev912","1.7.0.dev913","1.7.0.dev914","1.7.1","1.8.0","1.8.0.dev915","1.8.0.dev916","1.8.0.dev917","1.8.0.dev918","1.8.0.dev919","1.8.0.dev920","1.8.0.dev921","1.8.0.dev922","1.8.0.dev923","1.8.0.dev924","1.8.0.dev925","1.8.0.dev926","1.8.0.dev927","1.8.0.dev928","1.8.0.dev929","1.8.0.dev930","1.8.0.dev931","1.8.0.dev932","1.8.0.dev933","1.8.0.dev934","1.8.0.dev935","1.8.0.dev936","1.8.0.dev937","1.8.0.dev938","1.8.0.dev939","1.8.0.dev940","1.8.0.dev941","1.8.0.dev942","1.8.0.dev943","1.8.0.dev944","1.8.0.dev945","1.8.0.dev946","1.8.0.dev947","1.8.0.dev948","1.8.0.dev951","1.8.0.dev952","1.8.0.dev953","1.8.0.dev954","1.8.0.dev955","1.8.0.dev956","1.8.0.dev957","1.8.0.dev958","1.8.0.dev959","1.8.0.dev960","1.8.0.dev961","1.8.0.dev963","1.8.0.dev964","1.8.0.dev965","1.8.0.dev966","1.8.0.dev967","1.8.0.dev968","1.8.0.dev969","1.8.0.dev970","1.8.0.dev971","1.8.0.dev972","1.8.0.dev975","1.8.0.dev977","1.8.0.dev978","1.8.0.dev979","1.8.0.dev980","1.8.0.dev981","1.8.0.dev982","1.8.0.dev983","1.8.0.dev984","1.8.0rc1","1.8.0rc2","1.8.1","1.8.1rc1","1.9.0","1.9.0.dev1000","1.9.0.dev1001","1.9.0.dev1002","1.9.0.dev1003","1.9.0.dev1004","1.9.0.dev1005","1.9.0.dev1006","1.9.0.dev1007","1.9.0.dev1008","1.9.0.dev1009","1.9.0.dev1010","1.9.0.dev1011","1.9.0.dev1012","1.9.0.dev1013","1.9.0.dev1014","1.9.0.dev1016","1.9.0.dev1017","1.9.0.dev1018","1.9.0.dev1019","1.9.0.dev1020","1.9.0.dev1021","1.9.0.dev1022","1.9.0.dev1023","1.9.0.dev1024","1.9.0.dev1025","1.9.0.dev1026","1.9.0.dev1027","1.9.0.dev1028","1.9.0.dev1029","1.9.0.dev1030","1.9.0.dev1031","1.9.0.dev1032","1.9.0.dev1033","1.9.0.dev1034","1.9.0.dev1035","1.9.0.dev1036","1.9.0.dev1037","1.9.0.dev1038","1.9.0.dev1039","1.9.0.dev985","1.9.0.dev986","1.9.0.dev987","1.9.0.dev988","1.9.0.dev989","1.9.0.dev990","1.9.0.dev991","1.9.0.dev992","1.9.0.dev993","1.9.0.dev994","1.9.0.dev995","1.9.0.dev996","1.9.0.dev997","1.9.0.dev998","1.9.0.dev999","1.9.0rc1","1.9.0rc2","1.9.0rc3","1.9.0rc4","1.9.1","1.9.1.dev1040","1.9.1.dev1041","1.9.1.dev1042","1.9.1.dev1043","1.9.1.dev1044","1.9.1.dev1045","1.9.1.dev1046","1.9.1.dev1047","1.9.1.dev1048","1.9.1.dev1049","1.9.1rc1","1.9.2","1.9.2.dev1050","1.9.2.dev1051","1.9.2.dev1052","1.9.2.dev1053","1.9.2.dev1054","1.9.2.dev1055","1.9.2.dev1056","1.9.2.dev1057","1.9.2.dev1058","1.9.2.dev1059","1.9.2.dev1060","1.9.2.dev1061","1.9.2.dev1062","1.9.2.dev1063","1.9.2.dev1064","1.9.2.dev1065","1.9.2.dev1066","1.9.2.dev1067","1.9.2.dev1068","1.9.2.dev1069","1.9.2rc1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/indy-node/PYSEC-2022-265.yaml"}}],"schema_version":"1.7.3"}