Publish GHSA-fmj7-7gfw-64pg

github · Oct 15, 2024 · 8289247 · 8289247
1 parent 0ed8319
commit 8289247
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/advisories/github-reviewed/2024/10/GHSA-fmj7-7gfw-64pg/GHSA-fmj7-7gfw-64pg.json b/advisories/github-reviewed/2024/10/GHSA-fmj7-7gfw-64pg/GHSA-fmj7-7gfw-64pg.json
@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fmj7-7gfw-64pg",
-  "modified": "2024-10-15T19:56:27Z",
+  "modified": "2024-10-15T23:36:57Z",
   "published": "2024-10-15T17:33:50Z",
   "aliases": [
     "CVE-2024-48915"
   ],
   "summary": "Agent Dart is missing certificate verification checks",
   "details": "Certificate verification (in [lib/agent/certificate.dart](https://github.com/AstroxNetwork/agent_dart/blob/main/lib/agent/certificate.dart)) has been found to contain two issues:\n   - During the delegation verification (in [_checkDelegation](https://github.com/AstroxNetwork/agent_dart/blob/f50971dfae3f536c1720f0084f28afbcf5d99cb5/lib/agent/certificate.dart#L162) function) the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. You have more details in the IC specification [here](https://internetcomputer.org/docs/current/references/ic-interface-spec#certification-delegation). Also for reference you can check how is this implemented in [the agent-rs](https://github.com/dfinity/agent-rs/blob/608a3f4cfdcdfc5ca1ca74a1b9d33f2137a2d324/ic-agent/src/agent/mod.rs#L903-L914).\n    - The certificate’s timestamp, i.e /time path, is not verified, meaning that the certificate effectively has no expiration time. The [IC spec](https://internetcomputer.org/docs/current/references/ic-interface-spec#http-query) doesn’t specify an expiry times, it gives some suggestions, quoting: \"A reasonable expiry time for timestamps in R.signatures and the certificate Cert is 5 minutes (analogously to the maximum allowed ingress expiry enforced by the IC mainnet). Delegations require expiry times of at least a week since the IC mainnet refreshes the delegations only after replica upgrades which typically happen once a week\". For reference you can check how is this implemented in the agent-rs ([here](https://github.com/dfinity/agent-rs/blob/608a3f4cfdcdfc5ca1ca74a1b9d33f2137a2d324/ic-agent/src/agent/mod.rs#L820) and [here](https://github.com/dfinity/agent-rs/blob/608a3f4cfdcdfc5ca1ca74a1b9d33f2137a2d324/ic-agent/src/agent/mod.rs#L876-L887)).\n\n**Additionally**, seems [replica signed queries](https://internetcomputer.org/blog/features/replica-signed-queries) aren’t implemented",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"