CVE-2019-16762

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.9 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:P

Exploitability : 6.8 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701	Patch Third Party Advisory
https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:simpleledger:slpjs:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2019-11-15 23:15

Updated : 2024-02-04 20:39

NVD link : CVE-2019-16762

Mitre link : CVE-2019-16762

CVE.ORG link : CVE-2019-16762

JSON object : View

Products Affected

simpleledger

slpjs

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2019-16762", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.9, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 0.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 0.5}]}, "published": "2019-11-15T23:15:11.443", "references": [{"url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4."}, {"lang": "es", "value": "Un script de Bitcoin especialmente dise\u00f1ado puede causar una discrepancia entre las reglas de consenso SLP especificadas y el resultado de comprobaci\u00f3n del paquete slpjs npm. Un atacante podr\u00eda crear un script de Bitcoin especialmente dise\u00f1ado para causar una bifurcaci\u00f3n f\u00edsica del consenso de SLP. Los usuarios afectados pueden actualizar a cualquier versi\u00f3n posterior a 0.21.4 incluy\u00e9ndola."}], "lastModified": "2019-11-19T19:12:46.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:simpleledger:slpjs:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "11BD320D-9D20-424E-B945-6EAFC7CB0ACF", "versionEndExcluding": "0.21.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}