Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNjMnAtNGpoci14aGh4
False-positive validity for NFT1 genesis transactions in SLPJS
Impact
In the npm package named "slpjs", versions prior to 0.27.4 are vulnerable to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.
Patches
npm package "slpjs" has been patched and is published and tagged as version 0.27.4.
Workarounds
Upgrade to slpjs 0.27.4.
References
- Package location: https://www.npmjs.com/package/slpjs
- SLP NFT1 spec: https://slp.dev/specs/slp-nft-1/#nft1-protocol-requirements
- Git commit hash fixing this issue: https://github.com/simpleledger/slpjs/commit/290c20e8bff13ac81459d43e54cac232b5e3456c
- Unit tests have been added to assist validator implementations in avoiding this bug: https://github.com/simpleledger/slp-unit-test-data/commit/8c942eacfae12686dcf1f3366321445a4fba73e7
For more information
If you have any questions or comments about this advisory please open an issue in the slp-validate repository.
Permalink: https://github.com/advisories/GHSA-cc2p-4jhr-xhhxJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNjMnAtNGpoci14aGh4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-cc2p-4jhr-xhhx, CVE-2020-15130
References:
- https://github.com/simpleledger/slpjs/security/advisories/GHSA-cc2p-4jhr-xhhx
- https://github.com/simpleledger/slpjs/commit/290c20e8bff13ac81459d43e54cac232b5e3456c
- https://nvd.nist.gov/vuln/detail/CVE-2020-15130
- https://github.com/advisories/GHSA-cc2p-4jhr-xhhx
Blast Radius: 13.5
Affected Packages
npm:slpjs
Dependent packages: 13Dependent repositories: 64
Downloads: 175 last month
Affected Version Ranges: < 0.27.4
Fixed in: 0.27.4
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.20, 0.0.21, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.13.2, 0.14.0, 0.15.0, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.15.9, 0.15.10, 0.15.11, 0.15.12, 0.15.13, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.22.0, 0.22.1, 0.22.2, 0.22.3, 0.22.4, 0.22.5, 0.22.6, 0.23.0, 0.23.2, 0.23.3, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.25.6, 0.26.0, 0.27.0, 0.27.1, 0.27.2, 0.27.3
All unaffected versions: 0.27.4, 0.27.5, 0.27.6, 0.27.7, 0.27.8, 0.27.9, 0.27.11