CVE-2024-48915

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-48915
Agent Dart is an agent library built for Internet Computer for Dart and Flutter apps. Prior to version 1.0.0-dev.29, certificate verification in `lib/agent/certificate.dart` does not occur properly. During the delegation verification in the `_checkDelegation` function, the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. The certificate’s timestamp, i.e /time path, is also not verified, meaning that the certificate effectively has no expiration time. Version 1.0.0-dev.29 implements appropriate certificate verification.
CVSS

No CVSS.

References
Link Resource
https://github.com/AstroxNetwork/agent_dart/blob/f50971dfae3f536c1720f0084f28afbcf5d99cb5/lib/agent/certificate.dart#L162
https://github.com/AstroxNetwork/agent_dart/blob/main/lib/agent/certificate.dart
https://github.com/AstroxNetwork/agent_dart/commit/0d200686aabcd9313c7bc3e675cbdc82f6b775cf
https://github.com/AstroxNetwork/agent_dart/security/advisories/GHSA-fmj7-7gfw-64pg
Configurations

No configuration.

History

21 Nov 2024, 17:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 0.0 		v2 : unknown
v3 : unknown

16 Oct 2024, 16:38

Type Values Removed Values Added
Summary
  • (es) Agent Dart es una librería de agentes creada para aplicaciones de Internet Computer para Dart y Flutter. Antes de la versión 1.0.0-dev.29, la verificación de certificados en `lib/agent/certificate.dart` no se realiza correctamente. Durante la verificación de delegación en la función `_checkDelegation`, no se verifican los canister_ranges. El impacto de no verificar los canister_ranges es que una subred puede firmar respuestas de canister en nombre de otra subred. La marca de tiempo del certificado, es decir, la ruta /time, tampoco se verifica, lo que significa que el certificado efectivamente no tiene tiempo de vencimiento. La versión 1.0.0-dev.29 implementa la verificación de certificados adecuada.

15 Oct 2024, 19:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 0.0

15 Oct 2024, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-15 17:15

Updated : 2024-11-21 17:15

NVD link : CVE-2024-48915

Mitre link : CVE-2024-48915

CVE.ORG link : CVE-2024-48915

JSON object : View

Products Affected

No product.

CWE
CWE-295

Improper Certificate Validation


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024