Vulnerabilites related to simpleledger - slp-validate
CVE-2020-11072 (GCVE-0-2020-11072)
Vulnerability from cvelistv5
Published
2020-05-12 00:45
Modified
2024-08-04 11:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-697 - Incorrect Comparison
Summary
In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| simpleledger | slp-validate |
Version: < 1.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "slp-validate",
"vendor": "simpleledger",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user\u0027s minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-12T00:45:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7"
}
],
"source": {
"advisory": "GHSA-4w97-57v2-3w44",
"discovery": "UNKNOWN"
},
"title": "False-negative validation results in MINT transactions with invalid baton",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11072",
"STATE": "PUBLIC",
"TITLE": "False-negative validation results in MINT transactions with invalid baton"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "slp-validate",
"version": {
"version_data": [
{
"version_value": "\u003c 1.2.1"
}
]
}
}
]
},
"vendor_name": "simpleledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user\u0027s minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-697: Incorrect Comparison"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44",
"refsource": "CONFIRM",
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44"
},
{
"name": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7",
"refsource": "MISC",
"url": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7"
}
]
},
"source": {
"advisory": "GHSA-4w97-57v2-3w44",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11072",
"datePublished": "2020-05-12T00:45:12",
"dateReserved": "2020-03-30T00:00:00",
"dateUpdated": "2024-08-04T11:21:14.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15131 (GCVE-0-2020-15131)
Vulnerability from cvelistv5
Published
2020-07-30 15:00
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-697 - Incorrect Comparison
Summary
In SLP Validate (npm package slp-validate) before version 1.2.2, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 1.2.2.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| simpleledger | slp-validate.js |
Version: < 1.2.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/simpleledger/slp-validate.js/security/advisories/GHSA-6jmr-jfh7-xg3h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/simpleledger/slp-validate.js/commit/3963cf914afae69084059b82483da916d97af65c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "slp-validate.js",
"vendor": "simpleledger",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In SLP Validate (npm package slp-validate) before version 1.2.2, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 1.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T15:00:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simpleledger/slp-validate.js/security/advisories/GHSA-6jmr-jfh7-xg3h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/simpleledger/slp-validate.js/commit/3963cf914afae69084059b82483da916d97af65c"
}
],
"source": {
"advisory": "GHSA-6jmr-jfh7-xg3h",
"discovery": "UNKNOWN"
},
"title": "False-positive validity for NFT1 genesis transactions in SLP Validate",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15131",
"STATE": "PUBLIC",
"TITLE": "False-positive validity for NFT1 genesis transactions in SLP Validate"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "slp-validate.js",
"version": {
"version_data": [
{
"version_value": "\u003c 1.2.2"
}
]
}
}
]
},
"vendor_name": "simpleledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In SLP Validate (npm package slp-validate) before version 1.2.2, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 1.2.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-697: Incorrect Comparison"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/simpleledger/slp-validate.js/security/advisories/GHSA-6jmr-jfh7-xg3h",
"refsource": "CONFIRM",
"url": "https://github.com/simpleledger/slp-validate.js/security/advisories/GHSA-6jmr-jfh7-xg3h"
},
{
"name": "https://github.com/simpleledger/slp-validate.js/commit/3963cf914afae69084059b82483da916d97af65c",
"refsource": "MISC",
"url": "https://github.com/simpleledger/slp-validate.js/commit/3963cf914afae69084059b82483da916d97af65c"
}
]
},
"source": {
"advisory": "GHSA-6jmr-jfh7-xg3h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15131",
"datePublished": "2020-07-30T15:00:17",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16761 (GCVE-0-2019-16761)
Vulnerability from cvelistv5
Published
2019-11-15 23:05
Modified
2024-08-05 01:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0.0 have been patched.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| simpleledger | slp-validate |
Version: 1.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-wmx6-vxcf-c3gr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/simpleledger/slp-validate/commit/50ad96c2798dad6b9f9a13333dd05232defe5730#diff-fe58606994c412ba56a65141a7aa4a62L123"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "slp-validate",
"vendor": "simpleledger",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions \u003e1.0.0 have been patched."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-15T23:05:57",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-wmx6-vxcf-c3gr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/simpleledger/slp-validate/commit/50ad96c2798dad6b9f9a13333dd05232defe5730#diff-fe58606994c412ba56a65141a7aa4a62L123"
}
],
"source": {
"advisory": "GHSA-wmx6-vxcf-c3gr",
"discovery": "EXTERNAL"
},
"title": "Validator parsing discrepancy due to string encoding in NPM slp-validate 1.0.0",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16761",
"STATE": "PUBLIC",
"TITLE": "Validator parsing discrepancy due to string encoding in NPM slp-validate 1.0.0"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "slp-validate",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "1.0.0",
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "simpleledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions \u003e1.0.0 have been patched."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-wmx6-vxcf-c3gr",
"refsource": "CONFIRM",
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-wmx6-vxcf-c3gr"
},
{
"name": "https://github.com/simpleledger/slp-validate/commit/50ad96c2798dad6b9f9a13333dd05232defe5730#diff-fe58606994c412ba56a65141a7aa4a62L123",
"refsource": "MISC",
"url": "https://github.com/simpleledger/slp-validate/commit/50ad96c2798dad6b9f9a13333dd05232defe5730#diff-fe58606994c412ba56a65141a7aa4a62L123"
}
]
},
"source": {
"advisory": "GHSA-wmx6-vxcf-c3gr",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16761",
"datePublished": "2019-11-15T23:05:57",
"dateReserved": "2019-09-24T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-11-15 23:15
Modified
2024-11-21 04:31
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
Summary
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0.0 have been patched.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| simpleledger | slp-validate | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:simpleledger:slp-validate:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "800B28E8-C6CC-40DA-8C74-449DF86D2630",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions \u003e1.0.0 have been patched."
},
{
"lang": "es",
"value": "Un script de Bitcoin especialmente dise\u00f1ado puede causar una discrepancia entre las reglas de consenso SLP especificadas y el resultado de comprobaci\u00f3n del paquete slp-validate@1.0.0 npm. Un atacante podr\u00eda crear un script de Bitcoin especialmente dise\u00f1ado para causar una bifurcaci\u00f3n f\u00edsica del consenso SLP. Todas las versiones posteriores a 1.0.0 han sido parcheadas."
}
],
"id": "CVE-2019-16761",
"lastModified": "2024-11-21T04:31:08.150",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-15T23:15:11.317",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate/commit/50ad96c2798dad6b9f9a13333dd05232defe5730#diff-fe58606994c412ba56a65141a7aa4a62L123"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-wmx6-vxcf-c3gr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate/commit/50ad96c2798dad6b9f9a13333dd05232defe5730#diff-fe58606994c412ba56a65141a7aa4a62L123"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-wmx6-vxcf-c3gr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-12 01:15
Modified
2024-11-21 04:56
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Summary
In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| simpleledger | slp-validate | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:simpleledger:slp-validate:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A590BD4-A698-4851-843E-7B0E2C9E85FC",
"versionEndExcluding": "1.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user\u0027s minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071."
},
{
"lang": "es",
"value": "En SLP Validate (paquete slp-validate de npm) versiones anteriores a 1.2.1, los usuarios pod\u00edan experimentar resultados de comprobaci\u00f3n falsos negativos para operaciones de transacci\u00f3n MINT. Una billetera SLP mal implementada podr\u00eda permitir el gasto de los tokens afectados, lo cual resultar\u00eda en la destrucci\u00f3n del minting baton del usuario. Esto ha sido corregido en slp-validate en la versi\u00f3n 1.2.1. Adem\u00e1s, slpjs versi\u00f3n 0.27.2 presenta una correcci\u00f3n relacionada bajo el CVE-2020-11071 relacionado."
}
],
"id": "CVE-2020-11072",
"lastModified": "2024-11-21T04:56:43.600",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-12T01:15:11.213",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-30 15:15
Modified
2024-11-21 05:04
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
In SLP Validate (npm package slp-validate) before version 1.2.2, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 1.2.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| simpleledger | slp-validate | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:simpleledger:slp-validate:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2917828A-1F9A-4875-BB53-ADD30D7D5972",
"versionEndExcluding": "1.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In SLP Validate (npm package slp-validate) before version 1.2.2, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 1.2.2."
},
{
"lang": "es",
"value": "En SLP Validate (npm package slp-validate) versiones anteriores a 1.2.2, se presenta una vulnerabilidad en los resultados de comprobaci\u00f3n de falsos-positivos para el tipo de transacci\u00f3n NFT1 Child Genesis. Una billetera SLP implementada inapropiadamente o un atacante oportunista podr\u00eda crear un token secundario NFT1 aparentemente v\u00e1lido sin grabar ninguno de los tipos de token del Grupo NFT1 como son requeridos por la especificaci\u00f3n NFT1. Esto es corregido en la versi\u00f3n 1.2.2"
}
],
"id": "CVE-2020-15131",
"lastModified": "2024-11-21T05:04:54.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-30T15:15:13.150",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate.js/commit/3963cf914afae69084059b82483da916d97af65c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate.js/security/advisories/GHSA-6jmr-jfh7-xg3h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate.js/commit/3963cf914afae69084059b82483da916d97af65c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slp-validate.js/security/advisories/GHSA-6jmr-jfh7-xg3h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}