CVE-2022-36111

Name of the Vulnerable Software and Affected Versions immudb versions prior to 1.4.1

Description immudb is a database with built-in cryptographic proof and verification. A malicious immudb server can provide a falsified proof that will be accepted by the client SDK, signing a falsified transaction and replacing the genuine one. This situation cannot be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations, resulting in acceptance of an invalid state value. The vulnerability only affects immudb client SDKs, and the immudb server itself is not affected.

Recommendations For versions prior to 1.4.1, update to version 1.4.1 to resolve the issue. As a temporary workaround, consider running a genuine immudb replica server in a safe environment and fully synchronizing all databases with the primary to ensure the server does not produce invalid proofs and to check that the history presented by the server does not contain falsified transactions.