CVE-2019-16762 - OpenCVE

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Simpleledger	Slpjs

Configuration 1 [-]

cpe:2.3:a:simpleledger:slpjs:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701
https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2019-11-15T23:10:57

Updated: 2024-08-05T01:24:47.227Z

Reserved: 2019-09-24T00:00:00

Link: CVE-2019-16762

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-11-15T23:15:11.443

Modified: 2019-11-19T19:12:46.587

Link: CVE-2019-16762

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "slpjs", "vendor": "simpleledger", "versions": [{"lessThan": "0.21.4", "status": "affected", "version": "< 0.21.4", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-11-15T23:10:57", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701"}], "source": {"advisory": "cve/GHSA-425c-ccf3-3jrr", "discovery": "EXTERNAL"}, "title": "Validator parsing discrepancy due to string encoding in NPM slpjs", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2019-16762", "STATE": "PUBLIC", "TITLE": "Validator parsing discrepancy due to string encoding in NPM slpjs"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "slpjs", "version": {"version_data": [{"version_affected": "<", "version_name": "< 0.21.4", "version_value": "0.21.4"}]}}]}, "vendor_name": "simpleledger"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr", "refsource": "CONFIRM", "url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr"}, {"name": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701", "refsource": "MISC", "url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701"}]}, "source": {"advisory": "cve/GHSA-425c-ccf3-3jrr", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:24:47.227Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2019-16762", "datePublished": "2019-11-15T23:10:57", "dateReserved": "2019-09-24T00:00:00", "dateUpdated": "2024-08-05T01:24:47.227Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:simpleledger:slpjs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "11BD320D-9D20-424E-B945-6EAFC7CB0ACF", "versionEndExcluding": "0.21.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4."}, {"lang": "es", "value": "Un script de Bitcoin especialmente dise\u00f1ado puede causar una discrepancia entre las reglas de consenso SLP especificadas y el resultado de comprobaci\u00f3n del paquete slpjs npm. Un atacante podr\u00eda crear un script de Bitcoin especialmente dise\u00f1ado para causar una bifurcaci\u00f3n f\u00edsica del consenso de SLP. Los usuarios afectados pueden actualizar a cualquier versi\u00f3n posterior a 0.21.4 incluy\u00e9ndola."}], "id": "CVE-2019-16762", "lastModified": "2019-11-19T19:12:46.587", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.9, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2019-11-15T23:15:11.443", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}