{"containers": {"cna": {"affected": [{"product": "solana-pay", "vendor": "solana-labs", "versions": [{"status": "affected", "version": "< 0.2.1"}]}], "descriptions": [{"lang": "en", "value": "Solana Pay is a protocol and set of reference implementations that enable developers to incorporate decentralized payments into their apps and services. When a Solana Pay transaction is located using a reference key, it may be checked to represent a transfer of the desired amount to the recipient, using the supplied `validateTransfer` function. An edge case regarding this mechanism could cause the validation logic to validate multiple transfers. This issue has been patched as of version `0.2.1`. Users of the Solana Pay SDK should upgrade to it. There are no known workarounds for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-01T21:10:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/solana-labs/solana-pay/security/advisories/GHSA-j47c-j42c-mwqq"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/solana-labs/solana-pay/commit/ac6ce0d0a81137700874a8bf5a7caac3be999fad"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/solana-labs/solana-pay/blob/master/SPEC.md#reference"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts"}], "source": {"advisory": "GHSA-j47c-j42c-mwqq", "discovery": "UNKNOWN"}, "title": "Weakness in Transfer Validation Logic in @solana/pay", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-35917", "STATE": "PUBLIC", "TITLE": "Weakness in Transfer Validation Logic in @solana/pay"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "solana-pay", "version": {"version_data": [{"version_value": "< 0.2.1"}]}}]}, "vendor_name": "solana-labs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Solana Pay is a protocol and set of reference implementations that enable developers to incorporate decentralized payments into their apps and services. When a Solana Pay transaction is located using a reference key, it may be checked to represent a transfer of the desired amount to the recipient, using the supplied `validateTransfer` function. An edge case regarding this mechanism could cause the validation logic to validate multiple transfers. This issue has been patched as of version `0.2.1`. Users of the Solana Pay SDK should upgrade to it. There are no known workarounds for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-670: Always-Incorrect Control Flow Implementation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/solana-labs/solana-pay/security/advisories/GHSA-j47c-j42c-mwqq", "refsource": "CONFIRM", "url": "https://github.com/solana-labs/solana-pay/security/advisories/GHSA-j47c-j42c-mwqq"}, {"name": "https://github.com/solana-labs/solana-pay/commit/ac6ce0d0a81137700874a8bf5a7caac3be999fad", "refsource": "MISC", "url": "https://github.com/solana-labs/solana-pay/commit/ac6ce0d0a81137700874a8bf5a7caac3be999fad"}, {"name": "https://github.com/solana-labs/solana-pay/blob/master/SPEC.md#reference", "refsource": "MISC", "url": "https://github.com/solana-labs/solana-pay/blob/master/SPEC.md#reference"}, {"name": "https://github.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts", "refsource": "MISC", "url": "https://github.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts"}]}, "source": {"advisory": "GHSA-j47c-j42c-mwqq", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:58.604Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/solana-labs/solana-pay/security/advisories/GHSA-j47c-j42c-mwqq"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/solana-labs/solana-pay/commit/ac6ce0d0a81137700874a8bf5a7caac3be999fad"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/solana-labs/solana-pay/blob/master/SPEC.md#reference"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-35917", "datePublished": "2022-08-01T21:10:11", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:51:58.604Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solanalabs:pay:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA0D8FFF-0C7B-45CE-B3FD-FF53A6147F8B", "versionEndExcluding": "0.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Solana Pay is a protocol and set of reference implementations that enable developers to incorporate decentralized payments into their apps and services. When a Solana Pay transaction is located using a reference key, it may be checked to represent a transfer of the desired amount to the recipient, using the supplied `validateTransfer` function. An edge case regarding this mechanism could cause the validation logic to validate multiple transfers. This issue has been patched as of version `0.2.1`. Users of the Solana Pay SDK should upgrade to it. There are no known workarounds for this issue."}, {"lang": "es", "value": "Solana Pay es un protocolo y un conjunto de implementaciones de referencia que permiten a desarrolladores incorporar pagos descentralizados en sus aplicaciones y servicios. Cuando es localizada una transacci\u00f3n de Solana Pay usando una clave de referencia, puede comprobarse que representa una transferencia del importe deseado al destinatario, usando la funci\u00f3n suministrada \"validateTransfer\". Un caso de borde en relaci\u00f3n con este mecanismo podr\u00eda causar a la l\u00f3gica de comprobaci\u00f3n, comprobar m\u00faltiples transferencias. Este problema ha sido corregido a partir de la versi\u00f3n \"0.2.1\". Los usuarios del SDK de Solana Pay deber\u00edan actualizarlo. No se presentan mitigaciones conocidas para este problema"}], "id": "CVE-2022-35917", "lastModified": "2023-05-16T11:00:41.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-08-01T22:15:10.157", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/solana-labs/solana-pay/blob/master/SPEC.md#reference"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/solana-labs/solana-pay/commit/ac6ce0d0a81137700874a8bf5a7caac3be999fad"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/solana-labs/solana-pay/security/advisories/GHSA-j47c-j42c-mwqq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}