CVE-2020-4045

Name of the Vulnerable Software and Affected Versions SSB-DB version 20.0.0 SSB-Server version 16.0.0

Description The issue is an information disclosure vulnerability. The get() method is supposed to only decrypt messages when explicitly asked to, but there is a bug where it decrypts any message that it can. This means that it returns the decrypted content of private messages, which a malicious peer could use to get access to private data. This only affects peers running SSB-DB@20.0.0 who also have private messages, and is only known to be exploitable if you're also running SSB-OOO, which exposes a thin wrapper around get() to anonymous peers.

Recommendations For SSB-DB version 20.0.0, upgrade to version 20.0.1 immediately. For SSB-Server version 16.0.0, upgrade to version 16.0.1 to get the fixed version of SSB-DB. As a temporary workaround, consider disabling the SSB-OOO plugin to disable the most obvious attack vector.