CVE-2024-21669: 
Python vulnerability analysis and mitigation

Hyperledger Aries Cloud Agent Python (ACA-Py) contains a critical vulnerability (CVE-2024-21669) affecting its verification of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs). The vulnerability was introduced in version 0.7.0 and has been fixed in version 0.10.5. The core issue lies in the verification process where the result of verifying the presentation document.proof was not factored into the final verified value on the presentation record (GitHub Advisory).

The vulnerability stems from a flaw in the verification logic where the presentation's document.proof verification status was not included in determining the overall verification result. This could lead to situations where a presentation with invalid proofs would still be marked as verified. The issue has received a CVSS v3.1 base score of 8.8 HIGH from NVD (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and 9.9 CRITICAL from GitHub (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L). The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) (NVD).

The vulnerability allows two types of attacks: holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs can present incorrectly constructed proofs, and malicious verifiers can save and replay a presentation from legitimate holders as their own. This impacts all ACA-Py deployments that rely on W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (GitHub Advisory).

The vulnerability has been patched in version 0.10.5 and is also fixed in version 0.11.0. There are no workarounds available other than upgrading to a patched version of ACA-Py. Users are strongly recommended to upgrade to one of these versions as soon as possible (Release Notes).