CVE-2020-11093

Name of the Vulnerable Software and Affected Versions Hyperledger Indy Node versions prior to 1.12.4

Description The issue is related to a lack of signature verification on a specific transaction, allowing an attacker to make unauthorized alterations to the ledger. A malicious DID with no particular role can ask for an update for another DID, but cannot modify its verkey or role. This enables any DID to write a nym transaction to the ledger, change any other DID's alias, and modify the ledger metadata associated with a DID.

Recommendations To resolve the issue, update to Hyperledger Indy Node version 1.12.4 or later. As a temporary workaround, consider restricting access to the nym transaction handler to minimize the risk of exploitation. Additionally, restrict the ability of DIDs to update other DIDs' aliases and metadata until the issue is resolved.