CVE-2022-39199

Name of the Vulnerable Software and Affected Versions immudb versions prior to 1.4.1

Description immudb is a database with built-in cryptographic proof and verification. immudb client SDKs use the server's UUID to distinguish between different server instances, allowing the client to connect to different immudb instances and keep the state for multiple servers. However, the SDK does not validate this UUID and can accept any value reported by the server. A malicious server can change the reported UUID, tricking the client into treating it as a different server and accepting a state completely irrelevant to the one previously retrieved from the server.

Recommendations For versions prior to 1.4.1, update to version 1.4.1 to resolve the issue. As a temporary workaround, when initializing an immudb client object, a custom state handler can be used to store the state, providing a custom implementation that ignores the server UUID to ensure the client considers the server as the same even if the UUID changes.