Vulnerability Report: GO-2022-1118

CVE-2022-39199, GHSA-6cqj-6969-p57x
Affects: github.com/codenotary/immudb
Published: Dec 22, 2022
Modified: May 20, 2024

A malicious server can trick a client into treating it as a different server by changing the reported UUID. immudb client SDKs use the server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. The SDK does not validate this UUID and accepts any value reported by the server. A malicious server can therefore change the reported UUID and trick the client into treating it as a different server.

For detailed information about this vulnerability, visit https://github.com/codenotary/immudb/security/advisories/GHSA-6cqj-6969-p57x.

Affected Packages

Path

Go Versions

Symbols
github.com/codenotary/immudb/pkg/client

before v1.4.1

Aliases

CVE-2022-39199
GHSA-6cqj-6969-p57x

References

https://github.com/codenotary/immudb/security/advisories/GHSA-6cqj-6969-p57x
https://github.com/codenotary/immudb/commit/cade04756ff3f0a3b9e8d24149062744574adf5d
https://vuln.go.dev/ID/GO-2022-1118.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL