CVE-2021-39193

Transaction validity oversight in pallet-ethereum

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Frontier is Substrate's Ethereum compatibility layer. Prior to commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26, a bug in `pallet-ethereum` can cause invalid transactions to be included in the Ethereum block state in `pallet-ethereum` due to not validating the input data size. Any invalid transactions included this way have no possibility to alter the internal Ethereum or Substrate state. The transaction will appear to have be included, but is of no effect as it is rejected by the EVM engine. The impact is further limited by Substrate extrinsic size constraints. A patch is available in commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26. There are no workarounds aside from applying the patch.

Frontier es la capa de compatibilidad con Ethereum de Substrate. Anterior al commit número 0b962f218f0cdd796dadfe26c3f09e68f7861b26, un error en "pallet-ethereum" puede causar que se incluyan transacciones no válidas en el estado del bloque de Ethereum en "pallet-ethereum" debido a que no es comprobado el tamaño de los datos de entrada. Cualquier transacción no válida incluida de esta manera no presenta posibilidad de alterar el estado interno de Ethereum o del Substrato. La transacción parecerá haber sido incluida, pero no tiene ningún efecto ya que es rechazada por el motor EVM. El impacto es aún más limitado por las restricciones de tamaño extrínsecas del sustrato. Se presenta un parche disponible en el commit número 0b962f218f0cdd796dadfe26c3f09e68f7861b26. No se presentan soluciones aparte de aplicar el parche

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-08-16 CVE Reserved
2021-09-03 CVE Published
2024-05-19 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-1284: Improper Validation of Specified Quantity in Input

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/paritytech/frontier/commit/0b962f218f0cdd796dadfe26c3f09e68f7861b26	2023-07-17
https://github.com/paritytech/frontier/pull/465	2023-07-17
https://github.com/paritytech/frontier/pull/465/commits/8a2b890a2fb477d5fedd0e4335b00623832849ae	2023-07-17
https://github.com/paritytech/frontier/security/advisories/GHSA-hw4v-5x4h-c3xm	2023-07-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Parity Search vendor "Parity"		Frontier Search vendor "Parity" for product "Frontier"				< 2021-09-03 Search vendor "Parity" for product "Frontier" and version " < 2021-09-03"		-		Affected