6.5

CVE-2020-15091

Exploit

Denial of Service in TenderMint

TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TendermintTendermint Version >= 0.33.0 < 0.33.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.91% 0.551
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:N/I:N/A:P
security-advisories@github.com 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
Patch
Third Party Advisory
https://github.com/tendermint/tendermint/issues/4926
Third Party Advisory
Exploit
Issue Tracking
https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3
Third Party Advisory
Exploit