CVE-2024-21669

Name of the Vulnerable Software and Affected Versions Hyperledger Aries Cloud Agent Python (ACA-Py) versions 0.7.0 through 0.10.4

Description The issue arises when verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs). The result of verifying the presentation document.proof was not factored into the final verified value on the presentation record. This flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. All ACA-Py users depending on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs are impacted by this vulnerability.

Recommendations For Hyperledger Aries Cloud Agent Python (ACA-Py) versions 0.7.0 through 0.10.4, update to version 0.10.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs until a patched version is available.