CVE-2021-39193

EPSS 1.15%
Veröffentlicht 03.09.2021 18:15:07
Zuletzt bearbeitet 21.11.2024 06:18:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Transaction validity oversight in pallet-ethereum

Frontier is Substrate's Ethereum compatibility layer. Prior to commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26, a bug in `pallet-ethereum` can cause invalid transactions to be included in the Ethereum block state in `pallet-ethereum` due to not validating the input data size. Any invalid transactions included this way have no possibility to alter the internal Ethereum or Substrate state. The transaction will appear to have be included, but is of no effect as it is rejected by the EVM engine. The impact is further limited by Substrate extrinsic size constraints. A patch is available in commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26. There are no workarounds aside from applying the patch.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parity ≫ Frontier Version < 2021-09-03

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.15%	0.628

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/paritytech/frontier/commit/0b962f218f0cdd796dadfe26c3f09e68f7861b26

Patch

Third Party Advisory

https://github.com/paritytech/frontier/pull/465

Patch

Third Party Advisory

https://github.com/paritytech/frontier/pull/465/commits/8a2b890a2fb477d5fedd0e4335b00623832849ae

Patch

Third Party Advisory

https://github.com/paritytech/frontier/security/advisories/GHSA-hw4v-5x4h-c3xm

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-39193

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-39193

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-39193

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-39193