Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZnNDQtZnc2NC1jcGp4
Incorrect Account Used for Signing
Impact
Anybody using this library to sign with a BIP44 account other than the first account may be affected. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected.
The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has already added the account in a previous session (i.e. they added the account, reset the application, then signed something). The serialization/deserialization process does restore a previously added account, but it doesn't restore the index instructing the keyring to use that account for signing. As a result, after serializing then deserializing the keyring state, the account at index 0 is always used for signing even if it isn't the current account.
Patches
This has been patched (#14) in version >=0.2.1 of eth-ledger-bridge-keyring, and in version >=0.2.2 of @metamask/eth-ledger-bridge-keyring. Users are encouraged to migrate to the new package name.
Workarounds
To work around this problem without updating, you should remove then re-add the account before use. As long as the account was added during the lifetime of that process, signing with that account should work correctly.
For more information
If you have any questions or comments about this advisory:
- Open an issue in MetaMask/eth-ledger-bridge-keyring on GitHub
- Email the MetaMask team at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZnNDQtZnc2NC1jcGp4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: about 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-vg44-fw64-cpjx
References:
- https://github.com/MetaMask/eth-ledger-bridge-keyring/security/advisories/GHSA-vg44-fw64-cpjx
- https://github.com/MetaMask/eth-ledger-bridge-keyring/pull/14
- https://github.com/MetaMask/eth-ledger-bridge-keyring/commit/f32e529d13a53e55f558d903534d631846dc26ce
- https://github.com/advisories/GHSA-vg44-fw64-cpjx
- https://www.npmjs.com/advisories/1497
- https://www.npmjs.com/advisories/1498
- https://snyk.io/vuln/SNYK-JS-ETHLEDGERBRIDGEKEYRING-561121
Blast Radius: 16.5
Affected Packages
npm:@metamask/eth-ledger-bridge-keyring
Dependent packages: 2Dependent repositories: 158
Downloads: 12,379 last month
Affected Version Ranges: < 0.2.2
Fixed in: 0.2.2
All affected versions:
All unaffected versions: 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 1.0.0, 1.0.1, 2.0.0, 2.0.1, 3.0.0, 3.0.1, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 5.0.0, 5.0.1, 6.0.0, 7.0.0, 8.0.0, 8.0.1, 8.0.2, 8.0.3
npm:eth-ledger-bridge-keyring
Dependent packages: 2Dependent repositories: 54
Downloads: 32 last month
Affected Version Ranges: < 0.2.1
Fixed in: 0.2.1
All affected versions: 0.1.0, 0.1.1, 0.2.0
All unaffected versions: 0.2.1