CVE-2022-24759

Published: Mar 17, 2022Modified: Nov 21, 2024

7.4

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Exploitability: 2.2 / Impact: 5.2

Source: NVD

Description

`@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. `@chainsafe/libp2p-noise` before 4.1.2 and 5.0.3 does not correctly validate signatures during the handshake process. This may allow a man-in-the-middle to pose as other peers and get those peers banned. Users should upgrade to version 4.1.2 or 5.0.3 to receive a patch. There are currently no known workarounds.

Affected (2)

Products: Chainsafe: Js Libp2p Noise

1 product

Js Libp2p Noise

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Chainsafe Js Libp2p Noise	Before 4.1.2
Chainsafe Js Libp2p Noise	From 5.0.0 to 5.0.3

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://github.com/ChainSafe/js-libp2p-noise/pull/130

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/ChainSafe/js-libp2p-noise/releases/tag/v5.0.3

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/ChainSafe/js-libp2p-noise/security/advisories/GHSA-j3ff-xp6c-6gcc

Source: security-advisories@github.com

Third Party Advisory

https://github.com/ChainSafe/js-libp2p-noise/pull/130

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/ChainSafe/js-libp2p-noise/releases/tag/v5.0.3

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/ChainSafe/js-libp2p-noise/security/advisories/GHSA-j3ff-xp6c-6gcc

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.