Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/68457?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/68457?format=api", "purl": "pkg:pypi/aries-cloudagent@0.10.5", "type": "pypi", "namespace": "", "name": "aries-cloudagent", "version": "0.10.5", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "0.10.5", "latest_non_vulnerable_version": "0.11.0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46805?format=api", "vulnerability_id": "VCID-dj1d-dcug-n3cn", "summary": "Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC\n### Impact\n\nWhen verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. Below is an example result from verifying a JSON-LD Presentation where there is an error noted in the processing (mismatched challenge), but the overall result is incorrectly `\"verified\": true`:\n\n```json\n{\n \"verified\": true,\n \"presentation_result\": {\n \"verified\": false,\n \"document\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\"\n ],\n \"type\": [\n \"VerifiablePresentation\"\n ],\n \"verifiableCredential\": [\n {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\",\n \"https://w3id.org/citizenship/v1\"\n ],\n \"type\": [\n \"VerifiableCredential\",\n \"PermanentResident\"\n ],\n \"issuer\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"issuanceDate\": \"2023-11-18\",\n \"credentialSubject\": {\n \"type\": [\n \"PermanentResident\"\n ],\n \"id\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"givenName\": \"Bob\",\n \"familyName\": \"Builder\",\n \"gender\": \"Male\",\n \"birthCountry\": \"Bahamas\",\n \"birthDate\": \"1958-07-17\"\n },\n \"proof\": {\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"assertionMethod\",\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"created\": \"2023-11-18T21:39:56.988853+00:00\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA\"\n }\n }\n ],\n \"proof\": {\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"authentication\",\n \"verificationMethod\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"created\": \"2023-11-18T21:39:59.188276+00:00\",\n \"challenge\": \"ce0956d4-206d-4b69-a087-52bbb9ddaf1d\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw\"\n }\n },\n \"results\": [\n {\n \"verified\": false,\n \"proof\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\"\n ],\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"authentication\",\n \"verificationMethod\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"created\": \"2023-11-18T21:39:59.188276+00:00\",\n \"challenge\": \"ce0956d4-206d-4b69-a087-52bbb9ddaf1d\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw\"\n },\n \"error\": \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\",\n \"purpose_result\": {\n \"valid\": false,\n \"error\": \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\"\n }\n }\n ],\n \"errors\": [\n \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\"\n ]\n },\n \"credential_results\": [\n {\n \"verified\": true,\n \"document\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\",\n \"https://w3id.org/citizenship/v1\"\n ],\n \"type\": [\n \"VerifiableCredential\",\n \"PermanentResident\"\n ],\n \"issuer\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"issuanceDate\": \"2023-11-18\",\n \"credentialSubject\": {\n \"type\": [\n \"PermanentResident\"\n ],\n \"id\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"givenName\": \"Bob\",\n \"familyName\": \"Builder\",\n \"gender\": \"Male\",\n \"birthCountry\": \"Bahamas\",\n \"birthDate\": \"1958-07-17\"\n },\n \"proof\": {\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"assertionMethod\",\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"created\": \"2023-11-18T21:39:56.988853+00:00\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA\"\n }\n },\n \"results\": [\n {\n \"verified\": true,\n \"proof\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\",\n \"https://w3id.org/citizenship/v1\"\n ],\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"assertionMethod\",\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"created\": \"2023-11-18T21:39:56.988853+00:00\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA\"\n },\n \"purpose_result\": {\n \"valid\": true,\n \"controller\": {\n \"@context\": \"https://w3id.org/security/v2\",\n \"id\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"assertionMethod\": [\n \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\"\n ],\n \"authentication\": [\n {\n \"id\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"type\": \"Ed25519VerificationKey2018\",\n \"controller\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"publicKeyBase58\": \"8dMkWKZxsK7vS8sR4XgS7gWvRawPp5TMYVFvnU2RyXqo\"\n }\n ],\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"https://www.w3.org/ns/did#service\": {\n \"id\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#did-communication\",\n \"type\": \"did-communication\",\n \"https://www.w3.org/ns/did#serviceEndpoint\": {\n \"id\": \"http://alice:3000\"\n }\n }\n }\n }\n }\n ]\n }\n ],\n \"errors\": [\n \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\"\n ]\n}\n```\n\nThe flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.\n\nThis vulnerability has been present since the first implementation of support for JSON-LD W3C Verifiable Credential Data Model presentations, in Aries Cloud Agent Python release in 0.7.0.\n\nAll ACA-Py Users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability.\n\n### Patches\n\nThis issue has been patched in version [0.10.5](https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5) and fixed in [0.11.0](https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0).\n\n### Workarounds\n\nThere is no workaround other upgrading to a patched/fixed version of ACA-Py.", "references": [ { "reference_url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293" }, { "reference_url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2" }, { "reference_url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5" }, { "reference_url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0" }, { "reference_url": "https://github.com/advisories/GHSA-97x9-59rv-q5pm", "reference_id": "GHSA-97x9-59rv-q5pm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-97x9-59rv-q5pm" }, { "reference_url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm", "reference_id": "GHSA-97x9-59rv-q5pm", "reference_type": "", "scores": [], "url": "https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68457?format=api", "purl": "pkg:pypi/aries-cloudagent@0.10.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aries-cloudagent@0.10.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/68458?format=api", "purl": "pkg:pypi/aries-cloudagent@0.11.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aries-cloudagent@0.11.0" } ], "aliases": [ "CVE-2024-21669", "GHSA-97x9-59rv-q5pm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dj1d-dcug-n3cn" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aries-cloudagent@0.10.5" }