Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.
During the verification of Verifiable Presentations in W3C format using JSON-LD and Linked Data Proofs, the system was omitting the verification result of the `document.proof` field when determining the final `verified` status. As a result, a presentation with improperly constructed or forged proof could be marked as valid (true). Additionally, a malicious verifier who received such a presentation could save it and then replay it as their own to other parties (replay attack). The vulnerability is classified as CWE-347 — improper verification of cryptographic signature.
An attacker (credential holder or malicious verifier) can bypass the identity verification mechanism by submitting false or improperly signed proofs, and can impersonate other users by replaying intercepted presentations.
ACA-Py should be updated to version 0.10.5 or later (including 0.11.0), in which the issue has been fixed. Patches are available in the GitHub repository of the Hyperledger Aries Cloud Agent Python project.
Hyperledger Aries Cloud Agent Python (ACA-Py) versions 0.7.0 to 0.10.4 inclusive, using W3C credential verification in JSON-LD format with Linked Data Proofs (LDP-VC).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:LHyperledger Aries Cloud Agent
APPHyperledger0.11.00.7.0 – 0.10.5 (bez)
Related vulnerabilities
Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one...
Hyperledger Fabric 2.3 allows attackers to cause a denial of service (orderer crash) by repeatedly sending a c...
Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions a...
Hyperledger Fabric is a permissioned distributed ledger framework. In affected versions if a consensus client ...
Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verif...