CVE-2022-31020

Name of the Vulnerable Software and Affected Versions Indy Node versions 1.12.4 and prior

Description The issue affects the server portion of a distributed ledger purpose-built for decentralized identity. In the affected versions, the pool-upgrade request handler in Indy-Node allows an improperly authenticated attacker to remotely execute code on nodes within the network. The transactions are not properly sanitized, which can lead to remote code execution. As a temporary measure, endorsers should not create DIDs for untrusted users, and a vulnerable ledger should configure auth rules to prevent new DIDs from being written to the ledger until the network can be upgraded.

Recommendations For Indy Node versions 1.12.4 and prior, upgrade to version 1.12.5 or later, which has been updated to properly authenticate pool-upgrade transactions and sanitize them to prevent remote code execution. As a temporary workaround, consider configuring auth rules to prevent new DIDs from being written to the ledger until the network can be upgraded. Restrict access to the pool-upgrade request handler to minimize the risk of exploitation.