Improper Key Verification

Affecting ipns package, versions >=0.1.1 <0.1.3

Overview

ipns contains all the necessary code for creating, understanding and validating IPNS records.

Affected versions of this package are vulnerable to Improper Key Verification due to improperly public key verification, resulting in any key being valid.

Remediation

Upgrade ipns to version 0.1.3 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O
Credit
Brendan McMillion
CWE
CWE-287
Snyk ID
SNYK-JS-IPNS-173683
Disclosed
24 Aug, 2018
Published
13 Feb, 2019