CVE-2021-25835 - OpenCVE

Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables "cross-chain transaction replay" attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Chainsafe	Ethermint

Configuration 1 [-]

cpe:2.3:a:chainsafe:ethermint:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/cosmos/ethermint/issues/687
https://github.com/cosmos/ethermint/pull/692

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-02-08T17:57:19

Updated: 2024-08-03T20:11:28.420Z

Reserved: 2021-01-22T00:00:00

Link: CVE-2021-25835

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-02-08T18:15:13.803

Modified: 2021-02-12T14:08:59.123

Link: CVE-2021-25835

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables \"cross-chain transaction replay\" attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-08T17:57:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/cosmos/ethermint/issues/687"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/cosmos/ethermint/pull/692"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-25835", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables \"cross-chain transaction replay\" attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cosmos/ethermint/issues/687", "refsource": "MISC", "url": "https://github.com/cosmos/ethermint/issues/687"}, {"name": "https://github.com/cosmos/ethermint/pull/692", "refsource": "MISC", "url": "https://github.com/cosmos/ethermint/pull/692"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:11:28.420Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cosmos/ethermint/issues/687"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cosmos/ethermint/pull/692"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-25835", "datePublished": "2021-02-08T17:57:19", "dateReserved": "2021-01-22T00:00:00", "dateUpdated": "2024-08-03T20:11:28.420Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chainsafe:ethermint:*:*:*:*:*:*:*:*", "matchCriteriaId": "A35C91FB-4A33-4A25-8406-5F9143CF0828", "versionEndIncluding": "0.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables \"cross-chain transaction replay\" attack."}, {"lang": "es", "value": "Cosmos Network Ethermint versiones anteriores e incluyendo a v0.4.0 est\u00e1 afectado por una vulnerabilidad de reproducci\u00f3n de transacciones entre cadenas en el m\u00f3dulo EVM. Dado que ethermint usa los mismos esquemas de chainIDEpoch y firma con ethereum para la compatibilidad, una firma verificada en ethereum sigue siendo v\u00e1lida en ethermint con el mismo contenido de msg y chainIDEpoch, que permite el ataque de \"cross-chain transaction replay\""}], "id": "CVE-2021-25835", "lastModified": "2021-02-12T14:08:59.123", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-08T18:15:13.803", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/cosmos/ethermint/issues/687"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/cosmos/ethermint/pull/692"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-294"}], "source": "nvd@nist.gov", "type": "Primary"}]}