CVE-2022-24759
8.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
@chainsafe/libp2p-noise contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. @chainsafe/libp2p-noise before 4.1.2 and 5.0.3 does not correctly validate signatures during the handshake process. This may allow a man-in-the-middle to pose as other peers and get those peers banned. Users should upgrade to version 4.1.2 or 5.0.3 to receive a patch. There are currently no known workarounds.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ChainSafe | js-libp2p-noise | < 4.1.2 | affected |
| ChainSafe | js-libp2p-noise | >= 5.0.0, < 5.0.3 | affected |
Weaknesses
- CWE-347: CWE-347: Improper Verification of Cryptographic Signature
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/ChainSafe/js-libp2p-noise/security/advisories/GHSA-j3ff-xp6c-6gcc
- https://github.com/ChainSafe/js-libp2p-noise/pull/130
- https://github.com/ChainSafe/js-libp2p-noise/releases/tag/v5.0.3
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/ChainSafe/js-libp2p-noise/security/advisories/GHSA-j3ff-xp6c-6gcc
- https://github.com/ChainSafe/js-libp2p-noise/pull/130
- https://github.com/ChainSafe/js-libp2p-noise/releases/tag/v5.0.3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.