6 results (0.005 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Lodestar is a TypeScript implementation of the Ethereum Consensus specification. Prior to version 0.36.0, there is a possible consensus split given maliciously-crafted `AttesterSlashing` or `ProposerSlashing` being included on-chain. Because the developers represent `uint64` values as native javascript `number`s, there is an issue when those variables with large (greater than 2^53) `uint64` values are included on chain. In those cases, Lodestar may view valid_`AttesterSlashing` or `ProposerSlashing` as invalid, due to rounding errors in large `number` values. This causes a consensus split, where Lodestar nodes are forked away from the main network. • https://github.com/ChainSafe/lodestar/pull/3977 https://github.com/ChainSafe/lodestar/releases/tag/v0.36.0 https://github.com/ChainSafe/lodestar/security/advisories/GHSA-cvj7-5f3c-9vg9 • CWE-190: Integer Overflow or Wraparound •

CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0

`@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. `@chainsafe/libp2p-noise` before 4.1.2 and 5.0.3 does not correctly validate signatures during the handshake process. This may allow a man-in-the-middle to pose as other peers and get those peers banned. Users should upgrade to version 4.1.2 or 5.0.3 to receive a patch. There are currently no known workarounds. • https://github.com/ChainSafe/js-libp2p-noise/pull/130 https://github.com/ChainSafe/js-libp2p-noise/releases/tag/v5.0.3 https://github.com/ChainSafe/js-libp2p-noise/security/advisories/GHSA-j3ff-xp6c-6gcc • CWE-347: Improper Verification of Cryptographic Signature •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables "cross-chain transaction replay" attack. Cosmos Network Ethermint versiones anteriores e incluyendo a v0.4.0 está afectado por una vulnerabilidad de reproducción de transacciones entre cadenas en el módulo EVM.&#xa0;Dado que ethermint usa los mismos esquemas de chainIDEpoch y firma con ethereum para la compatibilidad, una firma verificada en ethereum sigue siendo válida en ethermint con el mismo contenido de msg y chainIDEpoch, que permite el ataque de "cross-chain transaction replay" • https://github.com/cosmos/ethermint/issues/687 https://github.com/cosmos/ethermint/pull/692 • CWE-294: Authentication Bypass by Capture-replay •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2

Cosmos Network Ethermint <= v0.4.0 is affected by cache lifecycle inconsistency in the EVM module. Due to the inconsistency between the Storage caching cycle and the Tx processing cycle, Storage changes caused by a failed transaction are improperly reserved in memory. Although the bad storage cache data will be discarded at EndBlock, it is still valid in the current block, which enables many possible attacks such as an "arbitrary mint token". Cosmos Network Ethermint versiones anteriores e incluyendo a v0.4.0, está afectado por la inconsistencia del ciclo de vida de la caché en el módulo EVM.&#xa0;Debido a la inconsistencia entre el ciclo de almacenamiento en caché y el ciclo de procesamiento de Tx, los cambios de almacenamiento causados ?? • https://github.com/iczc/Ethermint-CVE-2021-25837 https://github.com/cosmos/ethermint/issues/667#issuecomment-759284107 •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

Cosmos Network Ethermint <= v0.4.0 is affected by cache lifecycle inconsistency in the EVM module. The bytecode set in a FAILED transaction wrongfully remains in memory(stateObject.code) and is further written to persistent store at the Endblock stage, which may be utilized to build honeypot contracts. Cosmos Network Ethermint versiones anteriores e incluyendo a v0.4.0 está afectado por la inconsistencia del ciclo de vida de la caché en el módulo EVM.&#xa0;El bytecode establecido en una transacción FAILED permanece erróneamente en la memoria (stateObject.code) y se escribe posteriormente en el almacén persistente en la etapa Endblock, que puede ser usado para construir contratos de honeypot • https://github.com/cosmos/ethermint/issues/667#issuecomment-759284303 •