CVE-2024-21669
First published: Tue Jan 09 2024(Updated: )
### Impact When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. Below is an example result from verifying a JSON-LD Presentation where there is an error noted in the processing (mismatched challenge), but the overall result is incorrectly `"verified": true`: ```json { "verified": true, "presentation_result": { "verified": false, "document": { "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": [ "VerifiablePresentation" ], "verifiableCredential": [ { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://w3id.org/citizenship/v1" ], "type": [ "VerifiableCredential", "PermanentResident" ], "issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd", "issuanceDate": "2023-11-18", "credentialSubject": { "type": [ "PermanentResident" ], "id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C", "givenName": "Bob", "familyName": "Builder", "gender": "Male", "birthCountry": "Bahamas", "birthDate": "1958-07-17" }, "proof": { "type": "Ed25519Signature2018", "proofPurpose": "assertionMethod", "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "created": "2023-11-18T21:39:56.988853+00:00", "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA" } } ], "proof": { "type": "Ed25519Signature2018", "proofPurpose": "authentication", "verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C", "created": "2023-11-18T21:39:59.188276+00:00", "challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d", "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw" } }, "results": [ { "verified": false, "proof": { "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": "Ed25519Signature2018", "proofPurpose": "authentication", "verificationMethod": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C", "created": "2023-11-18T21:39:59.188276+00:00", "challenge": "ce0956d4-206d-4b69-a087-52bbb9ddaf1d", "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw" }, "error": "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969", "purpose_result": { "valid": false, "error": "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969" } } ], "errors": [ "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969" ] }, "credential_results": [ { "verified": true, "document": { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://w3id.org/citizenship/v1" ], "type": [ "VerifiableCredential", "PermanentResident" ], "issuer": "did:sov:EzcfrVw7Tveho5NjrmDWnd", "issuanceDate": "2023-11-18", "credentialSubject": { "type": [ "PermanentResident" ], "id": "did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C", "givenName": "Bob", "familyName": "Builder", "gender": "Male", "birthCountry": "Bahamas", "birthDate": "1958-07-17" }, "proof": { "type": "Ed25519Signature2018", "proofPurpose": "assertionMethod", "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "created": "2023-11-18T21:39:56.988853+00:00", "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA" } }, "results": [ { "verified": true, "proof": { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://w3id.org/citizenship/v1" ], "type": "Ed25519Signature2018", "proofPurpose": "assertionMethod", "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "created": "2023-11-18T21:39:56.988853+00:00", "jws": "eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA" }, "purpose_result": { "valid": true, "controller": { "@context": "https://w3id.org/security/v2", "id": "did:sov:EzcfrVw7Tveho5NjrmDWnd", "assertionMethod": [ "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1" ], "authentication": [ { "id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "type": "Ed25519VerificationKey2018", "controller": "did:sov:EzcfrVw7Tveho5NjrmDWnd", "publicKeyBase58": "8dMkWKZxsK7vS8sR4XgS7gWvRawPp5TMYVFvnU2RyXqo" } ], "verificationMethod": "did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1", "https://www.w3.org/ns/did#service": { "id": "did:sov:EzcfrVw7Tveho5NjrmDWnd#did-communication", "type": "did-communication", "https://www.w3.org/ns/did#serviceEndpoint": { "id": "http://alice:3000" } } } } } ] } ], "errors": [ "The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969" ] } ``` The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since the first implementation of support for JSON-LD W3C Verifiable Credential Data Model presentations, in Aries Cloud Agent Python release in 0.7.0. All ACA-Py Users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability. ### Patches This issue has been patched in version [0.10.5](https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5) and fixed in [0.11.0](https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0). ### Workarounds There is no workaround other upgrading to a patched/fixed version of ACA-Py.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/aries-cloudagent | >=0.11.0rc1<0.11.0 | 0.11.0 |
| pip/aries-cloudagent | >=0.7.0<0.10.5 | 0.10.5 |
| Hyperledger Aries Cloud Agent Python | >=0.7.0<0.10.5 | |
| Hyperledger Aries Cloud Agent Python | =0.11.0-rc1 | |
| Hyperledger Aries Cloud Agent Python | =0.11.0-rc2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293
- https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2
- https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5
- https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0
- https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm
- https://nvd.nist.gov/vuln/detail/CVE-2024-21669
- https://github.com/advisories/GHSA-97x9-59rv-q5pm (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-21669?
CVE-2024-21669 has been classified as a potential critical vulnerability due to its impact on the verification of W3C Format Verifiable Credentials.
How do I fix CVE-2024-21669?
To fix CVE-2024-21669, you should upgrade the aries-cloudagent package to version 0.11.0 or 0.10.5 or later.
What products are affected by CVE-2024-21669?
CVE-2024-21669 affects multiple versions of the aries-cloudagent package, specifically versions 0.10.5 and 0.11.0-rc1.
What problem does CVE-2024-21669 cause?
CVE-2024-21669 can lead to incorrect verification results for W3C Verifiable Credentials presentations, which may affect trust and security.
Is there a workaround for CVE-2024-21669 if I cannot upgrade immediately?
There are no known workarounds for CVE-2024-21669, and upgrading to the latest version is strongly recommended.
- agent/type
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-97x9-59rv-q5pm
- alias/CVE-2024-21669
- agent/software-canonical-lookup
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-cve
- agent/event
- collector/github-advisory
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/trending
- agent/tags
- agent/source
- package-manager/pip
- vendor/hyperledger
- canonical/hyperledger aries cloud agent python
- version/hyperledger aries cloud agent python/0.7.0
- version/hyperledger aries cloud agent python/0.11.0-rc1
- version/hyperledger aries cloud agent python/0.11.0-rc2