Vulnerability Details CVE-2022-24759
`@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. `@chainsafe/libp2p-noise` before 4.1.2 and 5.0.3 does not correctly validate signatures during the handshake process. This may allow a man-in-the-middle to pose as other peers and get those peers banned. Users should upgrade to version 4.1.2 or 5.0.3 to receive a patch. There are currently no known workarounds.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 30.3%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 5.8
References
- https://github.com/ChainSafe/js-libp2p-noise/pull/130
- https://github.com/ChainSafe/js-libp2p-noise/releases/tag/v5.0.3
- https://github.com/ChainSafe/js-libp2p-noise/security/advisories/GHSA-j3ff-xp6c-6gcc
- https://github.com/ChainSafe/js-libp2p-noise/pull/130
- https://github.com/ChainSafe/js-libp2p-noise/releases/tag/v5.0.3
- https://github.com/ChainSafe/js-libp2p-noise/security/advisories/GHSA-j3ff-xp6c-6gcc
Products affected by CVE-2022-24759
-
cpe:2.3:a:chainsafe:js-libp2p-noise:-
-
cpe:2.3:a:chainsafe:js-libp2p-noise:1.0.0
-
cpe:2.3:a:chainsafe:js-libp2p-noise:1.1.0
-
cpe:2.3:a:chainsafe:js-libp2p-noise:1.1.1
-
cpe:2.3:a:chainsafe:js-libp2p-noise:1.1.2
-
cpe:2.3:a:chainsafe:js-libp2p-noise:2.0.1
-
cpe:2.3:a:chainsafe:js-libp2p-noise:2.0.2
-
cpe:2.3:a:chainsafe:js-libp2p-noise:2.0.3
-
cpe:2.3:a:chainsafe:js-libp2p-noise:2.0.4
-
cpe:2.3:a:chainsafe:js-libp2p-noise:2.0.5
-
cpe:2.3:a:chainsafe:js-libp2p-noise:3.0.0
-
cpe:2.3:a:chainsafe:js-libp2p-noise:3.1.0
-
cpe:2.3:a:chainsafe:js-libp2p-noise:4.0.0
-
cpe:2.3:a:chainsafe:js-libp2p-noise:4.1.0
-
cpe:2.3:a:chainsafe:js-libp2p-noise:4.1.1
-
cpe:2.3:a:chainsafe:js-libp2p-noise:5.0.0
-
cpe:2.3:a:chainsafe:js-libp2p-noise:5.0.1
-
cpe:2.3:a:chainsafe:js-libp2p-noise:5.0.2