GHSA-rch7-f4h5-x9rj

Опубликовано: 23 авг. 2019

Источник: github

Github: Прошло ревью

CVSS3: 9.1

Описание

Identity Spoofing in libp2p-secio

Affected versions of libp2p-secio does not correctly verify that the PeerId of DstPeer matches the PeerId discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability.

Recommendation

Update to version 0.9.0 or later.

Ссылки

https://github.com/libp2p/js-libp2p-secio/pull/95
https://snyk.io/vuln/npm:libp2p-secio:20180115
https://www.npmjs.com/advisories/558

Пакеты

Наименование

libp2p-secio

npm

Затронутые версииВерсия исправления

< 0.9.0

0.9.0

9.1 Critical

CVSS3

Дефекты

CWE-290

9.1 Critical

CVSS3

Дефекты

CWE-290