CVE-2024-48915

Name of the Vulnerable Software and Affected Versions Agent Dart versions prior to 1.0.0-dev.29

Description The issue is related to improper certificate verification in the lib/agent/certificate.dart file. Specifically, during delegation verification in the checkDelegation function, the canister ranges are not verified, allowing a subnet to sign canister responses on behalf of another subnet. Additionally, the certificate's timestamp, i.e., the /time path, is not verified, effectively giving the certificate no expiration time.

Recommendations For versions prior to 1.0.0-dev.29, update to version 1.0.0-dev.29 to fix the certificate verification issue. As a temporary workaround, consider restricting the use of the checkDelegation function in the lib/agent/certificate.dart file until the update is applied. Avoid using the canister ranges variable in the affected API endpoints until the issue is resolved.