CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32985 – Stellar-core's Overlay - security fix for DDoS mitigation
https://notcve.org/view.php?id=CVE-2024-32985
Stellar-core is a reference implementation for the peer-to-peer agent that manages the Stellar network. Prior to 20.4.0, core nodes could be randomly crashed due to a race condition with a 3rd party library. The likelihood of affecting the network is low since crashed nodes come back up online right away. Code fix mitigation is part of Stellar-core v20.4.0 release Stellar-core es una implementación de referencia para el agente peer-to-peer que gestiona la red Stellar. Antes de 20.4.0, los nodos principales podían bloquearse aleatoriamente debido a una condición de ejecución con una librería de terceros. • https://github.com/stellar/stellar-core/security/advisories/GHSA-mgx8-frjx-x33m • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-46135 – Panic in SignedPayload::from_payload
https://notcve.org/view.php?id=CVE-2023-46135
rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys. A panic vulnerability occurs when a specially crafted payload is used.`inner_payload_len` should not above 64. This vulnerability has been patched in version 0.0.8. rs-stellar-strkey es una librería de Rust para codificar/decodificar Stellar Strkeys. Se produce una vulnerabilidad de pánico cuando se utiliza un payload especialmente manipulado. • https://github.com/stellar/rs-stellar-strkey/issues/58 https://github.com/stellar/rs-stellar-strkey/security/advisories/GHSA-5873-6fwq-463f • CWE-248: Uncaught Exception •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40580 – Freighter mnemonic phrase may be accessed by Javascript through a private API
https://notcve.org/view.php?id=CVE-2023-40580
Freighter is a Stellar chrome extension. It may be possible for a malicious website to access the recovery mnemonic phrase when the Freighter wallet is unlocked. This vulnerability impacts access control to the mnemonic recovery phrase. This issue was patched in version 5.3.1. • https://github.com/stellar/freighter/commit/81f78ba008c41ce631a3d0f9e4449f4bbd90baee https://github.com/stellar/freighter/pull/948 https://github.com/stellar/freighter/security/advisories/GHSA-vqr6-hwg2-775w • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32738 – Utils.readChallengeTx does not verify the server account signature
https://notcve.org/view.php?id=CVE-2021-32738
js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server. The `Utils.readChallengeTx` function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the `serverAccountID` has signed the transaction. In js-stellar-sdk before version 8.2.3, the function does not verify that the server has signed the transaction. Applications that also used `Utils.verifyChallengeTxThreshold` or `Utils.verifyChallengeTxSigners` to verify the signatures including the server signature on the challenge transaction are unaffected as those functions verify the server signed the transaction. Applications calling `Utils.readChallengeTx` should update to version 8.2.3, the first version with a patch for this vulnerability, to ensure that the challenge transaction is completely valid and signed by the server creating the challenge transaction. js-stellar-sdk es una biblioteca de Javascript para comunicarse con un servidor Stellar Horizon. • https://github.com/stellar/js-stellar-sdk/releases/tag/v8.2.3 https://github.com/stellar/js-stellar-sdk/security/advisories/GHSA-6cgh-hjpw-q3gq • CWE-287: Improper Authentication CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 0CVE-2002-0916
https://notcve.org/view.php?id=CVE-2002-0916
Format string vulnerability in the allowuser code for the Stellar-X msntauth authentication module, as distributed in Squid 2.4.STABLE6 and earlier, allows remote attackers to execute arbitrary code via format strings in the user name, which are not properly handled in a syslog call. • http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0087.html http://online.securityfocus.com/archive/1/275347 http://www.iss.net/security_center/static/9248.php http://www.securityfocus.com/bid/4929 http://www.squid-cache.org/Versions/v2/2.4/diff-2.4.STABLE6-2.4.STABLE7.gz •