GMS-2020-548: Holder can (re)create authentic credentials after receiving a credential in vp-toolkit

March 6, 2020

The verifyVerifiableCredential() method check the cryptographic integrity of the Verifiable Credential, but it does not check if the credential.issuer DID matches the signer of the credential.

References

github.com/advisories/GHSA-p94w-42g3-f7h4
github.com/rabobank-blockchain/vp-toolkit/commit/6315936d1d7913fd116fa51a0dbbd29d82c0ce17
github.com/rabobank-blockchain/vp-toolkit/issues/13
github.com/rabobank-blockchain/vp-toolkit/security/advisories/GHSA-p94w-42g3-f7h4

Detect and mitigate GMS-2020-548 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →