CVE-2020-11093

Name: CVE-2020-11093
Creator: NVD / NIST
Published: 2020-12-24T20:15:12.337+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.93%

Last modified Jun 17, 2026

CVE-2020-11093 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the ledger. EPSS estimates a 0.93% chance of exploitation in the next 30 days.

Description

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the ledger. Updating a DID with a nym transaction will be written to the ledger if neither ROLE or VERKEY are being changed, regardless of sender. A malicious DID with no particular role can ask an update for another DID (but cannot modify its verkey or role). This is bad because 1) Any DID can write a nym transaction to the ledger (i.e., any DID can spam the ledger with nym transactions), 2) Any DID can change any other DID's alias, 3) The update transaction modifies the ledger metadata associated with a DID.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

0.93%

56.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-347

Affected Software

Vendor	Product	Versions
Linuxfoundation	Indy-Node	< 1.12.4

References

https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1124Release Notes, Third Party Advisory
https://github.com/hyperledger/indy-node/blob/master/docs/source/auth_rules.mdThird Party Advisory
https://github.com/hyperledger/indy-node/commit/55056f22c83b7c3520488b615e1577e0f895d75aPatch, Third Party Advisory
https://github.com/hyperledger/indy-node/security/advisories/GHSA-wh2w-39f4-rpv2Exploit, Third Party Advisory
https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1124Release Notes, Third Party Advisory
https://github.com/hyperledger/indy-node/blob/master/docs/source/auth_rules.mdThird Party Advisory
https://github.com/hyperledger/indy-node/commit/55056f22c83b7c3520488b615e1577e0f895d75aPatch, Third Party Advisory
https://github.com/hyperledger/indy-node/security/advisories/GHSA-wh2w-39f4-rpv2Exploit, Third Party Advisory

Timeline

Published: Dec 24, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-11093?

How severe is CVE-2020-11093?

CVE-2020-11093 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.93% probability of exploitation in the next 30 days.

How do I fix CVE-2020-11093?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-11093?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST