CVE-2022-36111 - Vulnerability Details - OpenCVE

immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Codenotary	Immudb

Configuration 1 [-]

cpe:2.3:a:codenotary:immudb:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/codenotary/immudb/releases/tag/v1.4.1
https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8
https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake
https://pkg.go.dev/github.com/codenotary/immudb/pkg/client

History

Tue, 22 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-11-23T00:00:00.000Z

Updated: 2025-04-22T16:02:01.177Z

Reserved: 2022-07-15T00:00:00.000Z

Link: CVE-2022-36111

Vulnrichment

Updated: 2024-08-03T09:52:00.524Z

NVD

Status : Modified

Published: 2022-11-23T18:15:11.787

Modified: 2024-11-21T07:12:24.857

Link: CVE-2022-36111

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-36111", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-22T16:02:01.177Z", "dateReserved": "2022-07-15T00:00:00.000Z", "datePublished": "2022-11-23T00:00:00.000Z"}, "containers": {"cna": {"title": "immundb has insufficient verification of data authenticity", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-23T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."}], "affected": [{"vendor": "codenotary", "product": "immudb", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "references": [{"url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"}, {"url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"}, {"url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"}, {"url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "cweId": "CWE-345"}]}], "source": {"advisory": "GHSA-672p-m5jq-mrh8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.524Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1", "tags": ["x_transferred"]}, {"url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8", "tags": ["x_transferred"]}, {"url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T15:41:23.490260Z", "id": "CVE-2022-36111", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T16:02:01.177Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-36111", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-22T16:02:01.177Z", "dateReserved": "2022-07-15T00:00:00.000Z", "datePublished": "2022-11-23T00:00:00.000Z"}, "containers": {"cna": {"title": "immundb has insufficient verification of data authenticity", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-23T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."}], "affected": [{"vendor": "codenotary", "product": "immudb", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "references": [{"url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"}, {"url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"}, {"url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"}, {"url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "cweId": "CWE-345"}]}], "source": {"advisory": "GHSA-672p-m5jq-mrh8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.524Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1", "tags": ["x_transferred"]}, {"url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8", "tags": ["x_transferred"]}, {"url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-36111", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T15:41:23.490260Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T15:41:25.343Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codenotary:immudb:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EA9B368-DD84-4E51-ABFB-7FDEF2E9807E", "versionEndExcluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability. This issue has been patched in version 1.4.1."}, {"lang": "es", "value": "immudb es una base de datos con prueba y verificaci\u00f3n criptogr\u00e1fica incorporada. En versiones anteriores a la 1.4.1, un servidor immudb malicioso puede proporcionar una prueba falsificada que ser\u00e1 aceptada por el SDK del cliente al firmar una transacci\u00f3n falsificada que reemplaza la genuina. Esta situaci\u00f3n no puede ser provocada por un servidor immudb genuino y requiere que el cliente realice una lista espec\u00edfica de operaciones verificadas que resultan en la aceptaci\u00f3n de un valor de estado no v\u00e1lido. Esta vulnerabilidad solo afecta a los SDK del cliente immudb; el servidor immudb en s\u00ed no se ve afectado por esta vulnerabilidad. Este problema se solucion\u00f3 en la versi\u00f3n 1.4.1."}], "id": "CVE-2022-36111", "lastModified": "2024-11-21T07:12:24.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-23T18:15:11.787", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/codenotary/immudb/releases/tag/v1.4.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/codenotary/immudb/security/advisories/GHSA-672p-m5jq-mrh8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/codenotary/immudb/tree/master/docs/security/vulnerabilities/linear-fake"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/github.com/codenotary/immudb/pkg/client"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Secondary"}]}