CVE-2020-11072 - OpenCVE

In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Simpleledger	Slp-validate

Configuration 1 [-]

cpe:2.3:a:simpleledger:slp-validate:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7
https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-05-12T00:45:12

Updated: 2024-08-04T11:21:14.682Z

Reserved: 2020-03-30T00:00:00

Link: CVE-2020-11072

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-05-12T01:15:11.213

Modified: 2020-05-19T16:04:53.063

Link: CVE-2020-11072

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "slp-validate", "vendor": "simpleledger", "versions": [{"status": "affected", "version": "< 1.2.1"}]}], "descriptions": [{"lang": "en", "value": "In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-697", "description": "CWE-697: Incorrect Comparison", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-05-12T00:45:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7"}], "source": {"advisory": "GHSA-4w97-57v2-3w44", "discovery": "UNKNOWN"}, "title": "False-negative validation results in MINT transactions with invalid baton", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11072", "STATE": "PUBLIC", "TITLE": "False-negative validation results in MINT transactions with invalid baton"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "slp-validate", "version": {"version_data": [{"version_value": "< 1.2.1"}]}}]}, "vendor_name": "simpleledger"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-697: Incorrect Comparison"}]}]}, "references": {"reference_data": [{"name": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44", "refsource": "CONFIRM", "url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44"}, {"name": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7", "refsource": "MISC", "url": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7"}]}, "source": {"advisory": "GHSA-4w97-57v2-3w44", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:21:14.682Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-11072", "datePublished": "2020-05-12T00:45:12", "dateReserved": "2020-03-30T00:00:00", "dateUpdated": "2024-08-04T11:21:14.682Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:simpleledger:slp-validate:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A590BD4-A698-4851-843E-7B0E2C9E85FC", "versionEndExcluding": "1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton. This has been fixed in slp-validate in version 1.2.1. Additonally, slpjs version 0.27.2 has a related fix under related CVE-2020-11071."}, {"lang": "es", "value": "En SLP Validate (paquete slp-validate de npm) versiones anteriores a 1.2.1, los usuarios pod\u00edan experimentar resultados de comprobaci\u00f3n falsos negativos para operaciones de transacci\u00f3n MINT. Una billetera SLP mal implementada podr\u00eda permitir el gasto de los tokens afectados, lo cual resultar\u00eda en la destrucci\u00f3n del minting baton del usuario. Esto ha sido corregido en slp-validate en la versi\u00f3n 1.2.1. Adem\u00e1s, slpjs versi\u00f3n 0.27.2 presenta una correcci\u00f3n relacionada bajo el CVE-2020-11071 relacionado."}], "id": "CVE-2020-11072", "lastModified": "2020-05-19T16:04:53.063", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-05-12T01:15:11.213", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/simpleledger/slp-validate/commit/cde95c0c6470dceb4f023cd462f904135ebd73e7"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/simpleledger/slp-validate/security/advisories/GHSA-4w97-57v2-3w44"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-697"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-697"}], "source": "security-advisories@github.com", "type": "Secondary"}]}