GHSA-425c-ccf3-3jrr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-425c-ccf3-3jrr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-425c-ccf3-3jrr/GHSA-425c-ccf3-3jrr.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-425c-ccf3-3jrr
- Aliases
- Related
- Published
- 2019-11-15T23:10:35Z
- Modified
- 2023-11-01T04:50:39.689104Z
- Severity
-
- 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H CVSS Calculator
- Summary
- Critical severity vulnerability that affects slpjs
- Details
-
Validator parsing discrepancy due to string encoding
Impact
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus.
Patches
All versions > 0.21.3 are patched.
Workarounds
Upgrade to any version >= 0.21.4.
References
The bug was located and fixed here.
For more information
If you have any questions or comments about this advisory: * Open an issue in the slpjs repo * Email us at info@slp.cash
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2020-06-16T20:56:55Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-20" ] }- References
-
- https://github.com/simpleledger/slpjs/security/advisories/GHSA-425c-ccf3-3jrr
- https://nvd.nist.gov/vuln/detail/CVE-2019-16762
- https://github.com/simpleledger/slpjs/commit/ac8809b42e47790a6f0205991b36f2699ed10c84#diff-fe58606994c412ba56a65141a7aa4a62L701
- https://github.com/advisories/GHSA-425c-ccf3-3jrr
Affected packages
npm / slpjs
Package
- Name
- slpjs
- View open source insights on deps.dev
- Purl
- pkg:npm/slpjs