{"url":"http://public2.vulnerablecode.io/api/packages/68457?format=json","purl":"pkg:pypi/aries-cloudagent@0.10.5","type":"pypi","namespace":"","name":"aries-cloudagent","version":"0.10.5","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.11.0","latest_non_vulnerable_version":"0.11.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46805?format=json","vulnerability_id":"VCID-dj1d-dcug-n3cn","summary":"Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC\n### Impact\n\nWhen verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. Below is an example result from verifying a JSON-LD Presentation where there is an error noted in the processing (mismatched challenge), but the overall result is incorrectly `\"verified\": true`:\n\n```json\n{\n \"verified\": true,\n \"presentation_result\": {\n \"verified\": false,\n \"document\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\"\n ],\n \"type\": [\n \"VerifiablePresentation\"\n ],\n \"verifiableCredential\": [\n {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\",\n \"https://w3id.org/citizenship/v1\"\n ],\n \"type\": [\n \"VerifiableCredential\",\n \"PermanentResident\"\n ],\n \"issuer\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"issuanceDate\": \"2023-11-18\",\n \"credentialSubject\": {\n \"type\": [\n \"PermanentResident\"\n ],\n \"id\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"givenName\": \"Bob\",\n \"familyName\": \"Builder\",\n \"gender\": \"Male\",\n \"birthCountry\": \"Bahamas\",\n \"birthDate\": \"1958-07-17\"\n },\n \"proof\": {\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"assertionMethod\",\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"created\": \"2023-11-18T21:39:56.988853+00:00\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA\"\n }\n }\n ],\n \"proof\": {\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"authentication\",\n \"verificationMethod\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"created\": \"2023-11-18T21:39:59.188276+00:00\",\n \"challenge\": \"ce0956d4-206d-4b69-a087-52bbb9ddaf1d\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw\"\n }\n },\n \"results\": [\n {\n \"verified\": false,\n \"proof\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\"\n ],\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"authentication\",\n \"verificationMethod\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C#z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"created\": \"2023-11-18T21:39:59.188276+00:00\",\n \"challenge\": \"ce0956d4-206d-4b69-a087-52bbb9ddaf1d\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..4ciLzT3oF-Ch9nngGVgI_fBNIo_RPPXzRuFXjMx4AdwVNM4ioeB3TNDbHsF7fPXANznkZR0bHceyvMN3-CUSAw\"\n },\n \"error\": \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\",\n \"purpose_result\": {\n \"valid\": false,\n \"error\": \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\"\n }\n }\n ],\n \"errors\": [\n \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\"\n ]\n },\n \"credential_results\": [\n {\n \"verified\": true,\n \"document\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\",\n \"https://w3id.org/citizenship/v1\"\n ],\n \"type\": [\n \"VerifiableCredential\",\n \"PermanentResident\"\n ],\n \"issuer\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"issuanceDate\": \"2023-11-18\",\n \"credentialSubject\": {\n \"type\": [\n \"PermanentResident\"\n ],\n \"id\": \"did:key:z6MkrpbudRMUpTWSdqFcG2ytbYu2QQfgGFUf8GJpShR8Gy7C\",\n \"givenName\": \"Bob\",\n \"familyName\": \"Builder\",\n \"gender\": \"Male\",\n \"birthCountry\": \"Bahamas\",\n \"birthDate\": \"1958-07-17\"\n },\n \"proof\": {\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"assertionMethod\",\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"created\": \"2023-11-18T21:39:56.988853+00:00\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA\"\n }\n },\n \"results\": [\n {\n \"verified\": true,\n \"proof\": {\n \"@context\": [\n \"https://www.w3.org/2018/credentials/v1\",\n \"https://w3id.org/citizenship/v1\"\n ],\n \"type\": \"Ed25519Signature2018\",\n \"proofPurpose\": \"assertionMethod\",\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"created\": \"2023-11-18T21:39:56.988853+00:00\",\n \"jws\": \"eyJhbGciOiAiRWREU0EiLCAiYjY0IjogZmFsc2UsICJjcml0IjogWyJiNjQiXX0..eKdLMhKJkiVNzTKOEv14KyAFJnk8QX5MqXPmRE5OjQvwRNkeXk1lQRovhDhXKw154OrSqLHgfSNwBd3xfwuDCA\"\n },\n \"purpose_result\": {\n \"valid\": true,\n \"controller\": {\n \"@context\": \"https://w3id.org/security/v2\",\n \"id\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"assertionMethod\": [\n \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\"\n ],\n \"authentication\": [\n {\n \"id\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"type\": \"Ed25519VerificationKey2018\",\n \"controller\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd\",\n \"publicKeyBase58\": \"8dMkWKZxsK7vS8sR4XgS7gWvRawPp5TMYVFvnU2RyXqo\"\n }\n ],\n \"verificationMethod\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#key-1\",\n \"https://www.w3.org/ns/did#service\": {\n \"id\": \"did:sov:EzcfrVw7Tveho5NjrmDWnd#did-communication\",\n \"type\": \"did-communication\",\n \"https://www.w3.org/ns/did#serviceEndpoint\": {\n \"id\": \"http://alice:3000\"\n }\n }\n }\n }\n }\n ]\n }\n ],\n \"errors\": [\n \"The challenge is not as expected; challenge=ce0956d4-206d-4b69-a087-52bbb9ddaf1d, expected=328daf6e-f1f5-475a-944e-6446e7b3a969\"\n ]\n}\n```\n\nThe flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own.\n\nThis vulnerability has been present since the first implementation of support for JSON-LD W3C Verifiable Credential Data Model presentations, in Aries Cloud Agent Python release in 0.7.0.\n\nAll ACA-Py Users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability.\n\n### Patches\n\nThis issue has been patched in version [0.10.5](https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5) and fixed in [0.11.0](https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0).\n\n### Workarounds\n\nThere is no workaround other upgrading to a patched/fixed version of ACA-Py.","references":[{"reference_url":"https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293"},{"reference_url":"https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2"},{"reference_url":"https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5"},{"reference_url":"https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0"},{"reference_url":"https://github.com/advisories/GHSA-97x9-59rv-q5pm","reference_id":"GHSA-97x9-59rv-q5pm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-97x9-59rv-q5pm"},{"reference_url":"https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm","reference_id":"GHSA-97x9-59rv-q5pm","reference_type":"","scores":[],"url":"https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68457?format=json","purl":"pkg:pypi/aries-cloudagent@0.10.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aries-cloudagent@0.10.5"},{"url":"http://public2.vulnerablecode.io/api/packages/68458?format=json","purl":"pkg:pypi/aries-cloudagent@0.11.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aries-cloudagent@0.11.0"}],"aliases":["CVE-2024-21669","GHSA-97x9-59rv-q5pm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dj1d-dcug-n3cn"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aries-cloudagent@0.10.5"}