5.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39199

GHSA ID

GHSA-6cqj-6969-p57x

EPSS Score

0.12382%

CWE

CWE-345

Published

11/21/2022

Updated

2/14/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39199

CVE-2022-39199: Lack of proper validation of server UUID can be used by the server to trick the client to accept invalid proofs

Impact

immudb client SDKs use server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. SDK does not validate this uuid and can accept any value reported by the server. A malicious server can change the reported UUID tricking the client to treat it as a different server thus accepting a state completely irrelevant to the one previously retrieved from the server.

Patches

The following Go SDK versions are not vulnerable:

| SDK | Version | |-------|------------| | go | 1.4.1 |

Workarounds

When initializing an immudb client object, a custom state handler can be used to store the state. Providing custom implementation that ignores the server UUID can be used to ensure that even if the server changes the UUID, client will still consider it to be the same server.

For more information

If you have any questions or comments about this advisory:

Open a discussion in immudb Discussions
Email us at immudb-security@codenotary.com

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-39199

CVE-2022-39199:

5.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39199

GHSA ID

GHSA-6cqj-6969-p57x

EPSS Score

0.12382%

CWE

CWE-345

Published

11/21/2022

Updated

2/14/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/codenotary/immudb	go	< 1.4.1	1.4.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing server UUID validation when establishing client state. The pre-patch code in client.go created state services using NewStateService with a UUIDProvider that directly used server-supplied UUIDs. The session.go code similarly used server-reported UUIDs without validation. The patch adds ServerIdentityCheck validation before state creation, confirming these functions were vulnerable. The CWE-345 classification and commit message about validating server identity further confirm these state management functions were the vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-39199: Lack of proper validation of server UUID can be used by the server to trick the client to accept invalid proofs

Impact

Patches

Workarounds

For more information

CVE-2022-39199:

5.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2022-39199: Lack of proper validation of server UUID can be used by the server to trick the client to accept invalid proofs

Impact

Patches

Workarounds

For more information

Technical Details

5.8

5.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI