Shakreiner

**Name of the Vulnerable Software and Affected Versions** Indy Node versions 1.12.4 and prior **Description** The issue affects the server portion of a distributed ledger purpose-built for decentralized identity. In the affected versions, the `pool-upgrade` request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The transactions are not properly sanitized, which can lead to remote code execution. As a temporary measure, endorsers should not create DIDs for untrusted users, and a vulnerable ledger should configure `auth rules` to prevent new DIDs from being written to the ledger until the network can be upgraded. **Recommendations** For Indy Node versions 1.12.4 and prior, upgrade to version 1.12.5 or later, which has been updated to properly authenticate `pool-upgrade` transactions and sanitize them to prevent remote code execution. As a temporary workaround, consider configuring `auth rules` to prevent new DIDs from being written to the ledger until the network can be upgraded. Restrict access to the `pool-upgrade` request handler to minimize the risk of exploitation.