GHSA-6jmr-jfh7-xg3h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6jmr-jfh7-xg3h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-6jmr-jfh7-xg3h/GHSA-6jmr-jfh7-xg3h.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-6jmr-jfh7-xg3h
- Aliases
- Related
- Published
- 2020-07-30T14:58:53Z
- Modified
- 2023-11-01T04:51:57.203807Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- False-positive validity for NFT1 genesis transactions
- Details
-
Impact
In the npm package named "slp-validate", versions prior to 1.2.2 are vulnerable to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.
Patches
npm package "slp-validate" has been patched and is published and tagged as version 1.2.2.
Workarounds
Upgrade to slp-validate 1.2.2.
References
- Package location: https://www.npmjs.com/package/slp-validate
- SLP NFT1 spec: https://slp.dev/specs/slp-nft-1/#nft1-protocol-requirements
- Git commit hash fixing this issue: https://github.com/simpleledger/slp-validate.js/commit/3963cf914afae69084059b82483da916d97af65c
- Unit tests have been added to assist validator implementations in avoiding this bug: https://github.com/simpleledger/slp-unit-test-data/commit/8c942eacfae12686dcf1f3366321445a4fba73e7
For more information
If you have any questions or comments about this advisory please open an issue in the slp-validate repository.
- Database specific
{ "cwe_ids": [ "CWE-697" ], "github_reviewed_at": "2020-07-30T14:54:40Z", "github_reviewed": true, "nvd_published_at": null, "severity": "CRITICAL" }- References
Affected packages
npm / slp-validate
Package
- Name
- slp-validate
- View open source insights on deps.dev
- Purl
- pkg:npm/slp-validate