CVE-2024-45244: 
NixOS vulnerability analysis and mitigation

Hyperledger Fabric through version 2.5.9 contains a security vulnerability where the system does not verify that a request has a timestamp within the expected time window (NVD, CVE). The vulnerability was discovered and disclosed on August 25, 2024.

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can potentially lead to integrity impacts (NVD). The issue is related to CWE-294 (Authentication Bypass by Capture-replay).

The vulnerability could allow an attacker to bypass authentication mechanisms by submitting requests with timestamps outside the expected time window. This could potentially lead to unauthorized access and compromise the integrity of the system (NVD).

A patch has been implemented in the Hyperledger Fabric repository that adds timestamp proposal checks to ensure requests fall within the expected time window. The fix is available in commit 155457a6624b3c74b22e5729c35c8499bfe952cd (GitHub Commit). Users should upgrade to a version containing this fix.