Reported

May 15, 2019

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

libp2p-core (crates.io)

Type

Vulnerability

Aliases

• CVE-2019-15545
• GHSA-4q4x-67hx-5mpg

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

High

Availability Impact

None

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Patched

• ^0.7.1
• >=0.8.1

Unaffected

• <0.3

Description

Affected versions of this crate did not properly verify ed25519 signatures. Any signature with a correct length was considered valid.

This allows an attacker to impersonate any node identity.

Advisory available under CC0-1.0 license.