Skip to content

Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`

High severity GitHub Reviewed Published Jun 17, 2022 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

cargo libp2p-core (Rust)

Affected versions

>= 0.30.0-rc.1, < 0.30.2

Patched versions

0.30.2

Description

Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record.
Any combination was considered valid.

This allows an attacker to republish an existing PeerRecord with a different PeerId.

References

Published to the GitHub Advisory Database Jun 17, 2022
Reviewed Jun 17, 2022
Last updated Jun 13, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-wc36-xgcc-jwpr

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.