Vulnerabilites related to simpleledger - slpjs
CVE-2019-16762 (GCVE-0-2019-16762)
Vulnerability from cvelistv5
Published
2019-11-15 23:10
Modified
2024-08-05 01:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| simpleledger | slpjs |
Version: < 0.21.4 < 0.21.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:47.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "slpjs",
"vendor": "simpleledger",
"versions": [
{
"lessThan": "0.21.4",
"status": "affected",
"version": "\u003c 0.21.4",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version \u003e= 0.21.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-15T23:10:57",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701"
}
],
"source": {
"advisory": "cve/GHSA-425c-ccf3-3jrr",
"discovery": "EXTERNAL"
},
"title": "Validator parsing discrepancy due to string encoding in NPM slpjs",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16762",
"STATE": "PUBLIC",
"TITLE": "Validator parsing discrepancy due to string encoding in NPM slpjs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "slpjs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "\u003c 0.21.4",
"version_value": "0.21.4"
}
]
}
}
]
},
"vendor_name": "simpleledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version \u003e= 0.21.4."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr",
"refsource": "CONFIRM",
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr"
},
{
"name": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701",
"refsource": "MISC",
"url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701"
}
]
},
"source": {
"advisory": "cve/GHSA-425c-ccf3-3jrr",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2019-16762",
"datePublished": "2019-11-15T23:10:57",
"dateReserved": "2019-09-24T00:00:00",
"dateUpdated": "2024-08-05T01:24:47.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11071 (GCVE-0-2020-11071)
Vulnerability from cvelistv5
Published
2020-05-12 00:25
Modified
2024-08-04 11:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-697 - Incorrect Comparison
Summary
SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This is fixed in version 0.27.2.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| simpleledger | slpjs |
Version: < 0.27.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-jc83-cpf9-q7c6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/simpleledger/slpjs/commit/3671be2ffb6d4cfa94c00c6dc8649d1ba1d75754"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "slpjs",
"vendor": "simpleledger",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user\u0027s minting baton. This is fixed in version 0.27.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-12T00:25:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-jc83-cpf9-q7c6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/simpleledger/slpjs/commit/3671be2ffb6d4cfa94c00c6dc8649d1ba1d75754"
}
],
"source": {
"advisory": "GHSA-jc83-cpf9-q7c6",
"discovery": "UNKNOWN"
},
"title": "False-negative validation results in MINT transactions with invalid baton",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11071",
"STATE": "PUBLIC",
"TITLE": "False-negative validation results in MINT transactions with invalid baton"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "slpjs",
"version": {
"version_data": [
{
"version_value": "\u003c 0.27.2"
}
]
}
}
]
},
"vendor_name": "simpleledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user\u0027s minting baton. This is fixed in version 0.27.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-697: Incorrect Comparison"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-jc83-cpf9-q7c6",
"refsource": "CONFIRM",
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-jc83-cpf9-q7c6"
},
{
"name": "https://github.com/simpleledger/slpjs/commit/3671be2ffb6d4cfa94c00c6dc8649d1ba1d75754",
"refsource": "MISC",
"url": "https://github.com/simpleledger/slpjs/commit/3671be2ffb6d4cfa94c00c6dc8649d1ba1d75754"
}
]
},
"source": {
"advisory": "GHSA-jc83-cpf9-q7c6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11071",
"datePublished": "2020-05-12T00:25:15",
"dateReserved": "2020-03-30T00:00:00",
"dateUpdated": "2024-08-04T11:21:14.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15130 (GCVE-0-2020-15130)
Vulnerability from cvelistv5
Published
2020-07-30 15:00
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-697 - Incorrect Comparison
Summary
In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 0.27.4.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| simpleledger | slpjs |
Version: < 0.27.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-cc2p-4jhr-xhhx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/simpleledger/slpjs/commit/290c20e8bff13ac81459d43e54cac232b5e3456c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "slpjs",
"vendor": "simpleledger",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 0.27.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T15:00:23",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-cc2p-4jhr-xhhx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/simpleledger/slpjs/commit/290c20e8bff13ac81459d43e54cac232b5e3456c"
}
],
"source": {
"advisory": "GHSA-cc2p-4jhr-xhhx",
"discovery": "UNKNOWN"
},
"title": "False-positive validity for NFT1 genesis transactions in SLPJS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15130",
"STATE": "PUBLIC",
"TITLE": "False-positive validity for NFT1 genesis transactions in SLPJS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "slpjs",
"version": {
"version_data": [
{
"version_value": "\u003c 0.27.4"
}
]
}
}
]
},
"vendor_name": "simpleledger"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 0.27.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-697: Incorrect Comparison"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-cc2p-4jhr-xhhx",
"refsource": "CONFIRM",
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-cc2p-4jhr-xhhx"
},
{
"name": "https://github.com/simpleledger/slpjs/commit/290c20e8bff13ac81459d43e54cac232b5e3456c",
"refsource": "MISC",
"url": "https://github.com/simpleledger/slpjs/commit/290c20e8bff13ac81459d43e54cac232b5e3456c"
}
]
},
"source": {
"advisory": "GHSA-cc2p-4jhr-xhhx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15130",
"datePublished": "2020-07-30T15:00:24",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2020-05-12 01:15
Modified
2024-11-21 04:56
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Summary
SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This is fixed in version 0.27.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| simpleledger | slpjs | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:simpleledger:slpjs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "035AB245-62DC-434B-A63F-D1AC45D95DFC",
"versionEndExcluding": "0.27.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user\u0027s minting baton. This is fixed in version 0.27.2."
},
{
"lang": "es",
"value": "SLPJS (paquete slpjs de npm) versiones anteriores a 0.27.2, presenta una vulnerabilidad donde los usuarios podr\u00edan experimentar resultados de comprobaci\u00f3n falsos negativos para las operaciones de transacci\u00f3n MINT. Una billetera SLP mal implementada podr\u00eda permitir el gasto de los tokens afectados, lo que resultar\u00eda en la destrucci\u00f3n minting baton del usuario. Esto es corrigido en la versi\u00f3n 0.27.2."
}
],
"id": "CVE-2020-11071",
"lastModified": "2024-11-21T04:56:43.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-12T01:15:11.150",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Tool Signature"
],
"url": "https://github.com/simpleledger/slpjs/commit/3671be2ffb6d4cfa94c00c6dc8649d1ba1d75754"
},
{
"source": "security-advisories@github.com",
"tags": [
"Tool Signature"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-jc83-cpf9-q7c6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Tool Signature"
],
"url": "https://github.com/simpleledger/slpjs/commit/3671be2ffb6d4cfa94c00c6dc8649d1ba1d75754"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Tool Signature"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-jc83-cpf9-q7c6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-15 23:15
Modified
2024-11-21 04:31
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H
Summary
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| simpleledger | slpjs | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:simpleledger:slpjs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "11BD320D-9D20-424E-B945-6EAFC7CB0ACF",
"versionEndExcluding": "0.21.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version \u003e= 0.21.4."
},
{
"lang": "es",
"value": "Un script de Bitcoin especialmente dise\u00f1ado puede causar una discrepancia entre las reglas de consenso SLP especificadas y el resultado de comprobaci\u00f3n del paquete slpjs npm. Un atacante podr\u00eda crear un script de Bitcoin especialmente dise\u00f1ado para causar una bifurcaci\u00f3n f\u00edsica del consenso de SLP. Los usuarios afectados pueden actualizar a cualquier versi\u00f3n posterior a 0.21.4 incluy\u00e9ndola."
}
],
"id": "CVE-2019-16762",
"lastModified": "2024-11-21T04:31:08.293",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-15T23:15:11.443",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-30 15:15
Modified
2024-11-21 05:04
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 0.27.4.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| simpleledger | slpjs | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:simpleledger:slpjs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1EAA7BF1-0BF4-491A-8E92-3A5BAFFC2156",
"versionEndExcluding": "0.27.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification. This is fixed in version 0.27.4."
},
{
"lang": "es",
"value": "En SLPJS (npm package slpjs) versiones anteriores a 0.27.4, se presenta una vulnerabilidad en los resultados de comprobaci\u00f3n de falsos-positivos para el tipo de transacci\u00f3n NFT1 Child Genesis. Una billetera SLP implementada inapropiadamente o un atacante oportunista podr\u00eda crear un token secundario NFT1 aparentemente v\u00e1lido sin grabar ninguno de los tipos de token del Grupo NFT1 como lo requiere la especificaci\u00f3n NFT1. Esto es corregido en la versi\u00f3n 0.27.4"
}
],
"id": "CVE-2020-15130",
"lastModified": "2024-11-21T05:04:54.477",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-30T15:15:13.057",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slpjs/commit/290c20e8bff13ac81459d43e54cac232b5e3456c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-cc2p-4jhr-xhhx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slpjs/commit/290c20e8bff13ac81459d43e54cac232b5e3456c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-cc2p-4jhr-xhhx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}