Dbluhm

**Name of the Vulnerable Software and Affected Versions** Hyperledger Aries Cloud Agent Python (ACA-Py) versions 0.7.0 through 0.10.4 **Description** The issue arises when verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs). The result of verifying the presentation `document.proof` was not factored into the final `verified` value on the presentation record. This flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. All ACA-Py users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability. **Recommendations** For Hyperledger Aries Cloud Agent Python (ACA-Py) versions 0.7.0 through 0.10.4, update to version 0.10.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs until a patched version is available.