Search criteria
5 vulnerabilities
CVE-2024-11991 (GCVE-0-2024-11991)
Vulnerability from cvelistv5 – Published: 2024-12-09 14:38 – Updated: 2024-12-09 15:07
VLAI?
Summary
Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.
Severity ?
5.6 (Medium)
CWE
- CWE-908 - Use of Uninitialized Resource
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Internet Computer | Motoko |
Affected:
0.9.0 , ≤ 0.13.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:07:27.354775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:07:37.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "moc",
"product": "Motoko",
"vendor": "Internet Computer",
"versions": [
{
"lessThanOrEqual": "0.13.3",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eMotoko\u0027s incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister\u0027s memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Motoko\u0027s incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister\u0027s memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T14:38:07.288Z",
"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"shortName": "Dfinity"
},
"references": [
{
"url": "https://github.com/dfinity/motoko/pull/4677"
},
{
"url": "https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Uninitialized memory access in Motoko incremental garbage collector",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDisable incremental garbage collector and enhanced orthogonal persistence. i.e. do \u003cstrong\u003enot compile\u003c/strong\u003e\u0026nbsp;with\u0026nbsp;\u003ci\u003e\u2014incremental-gc\u003c/i\u003e or \u003ci\u003e--enhanced-orthogonal-persistence\u003c/i\u003e options.\u003c/p\u003e"
}
],
"value": "Disable incremental garbage collector and enhanced orthogonal persistence. i.e. do not compile\u00a0with\u00a0\u2014incremental-gc or --enhanced-orthogonal-persistence options."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"assignerShortName": "Dfinity",
"cveId": "CVE-2024-11991",
"datePublished": "2024-12-09T14:38:07.288Z",
"dateReserved": "2024-11-29T10:02:19.279Z",
"dateUpdated": "2024-12-09T15:07:37.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7884 (GCVE-0-2024-7884)
Vulnerability from cvelistv5 – Published: 2024-09-05 13:01 – Updated: 2024-09-05 14:42
VLAI?
Summary
When a canister method is called via ic_cdk::call* , a new Future CallFuture is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called CallFutureState. A bug in the polling implementation of the CallFuture allows multiple references to be held for this internal state and not all references were dropped before the Future is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister's heap and thus causing a memory leak.
Impact Canisters built in Rust with ic_cdk and ic_cdk_timers are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker. Motoko based canisters are not affected by the bug.
PatchesThe patch has been backported to all minor versions between >= 0.8.0, <= 0.15.0. The patched versions available are 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1 and their previous versions have been yanked. WorkaroundsThere are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of ic_cdk to avoid running out of Wasm heap memory.
Upgrading the canisters (without updating `ic_cdk`) also frees the leaked memory but it's only a temporary solution.
Severity ?
7.5 (High)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Internet Computer | ic-cdk |
Affected:
0.8.0 , < 0.8.2
(semver)
Affected: 0.9.0 , < 0.9.3 (semver) Affected: 0.10.0 , < 0.10.1 (semver) Affected: 0.11.0 , < 0.11.5 (semver) Affected: 0.12.0 , < 0.12.2 (semver) Affected: 0.13.0 , < 0.13.4 (semver) Affected: 0.14.0 , < 0.14.1 (semver) Affected: 0.15.0 , < 0.15.1 (semver) |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:internet_computer:ic-cdk:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ic-cdk",
"vendor": "internet_computer",
"versions": [
{
"lessThan": "0.8.2",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
},
{
"lessThan": "0.9.3",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
},
{
"lessThan": "0.10.1",
"status": "affected",
"version": "0.10.0",
"versionType": "semver"
},
{
"lessThan": "0.11.5",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
},
{
"lessThan": "0.12.2",
"status": "affected",
"version": "0.12.0",
"versionType": "semver"
},
{
"lessThan": "0.13.4",
"status": "affected",
"version": "0.13.0",
"versionType": "semver"
},
{
"lessThan": "0.14.1",
"status": "affected",
"version": "0.14.0",
"versionType": "semver"
},
{
"lessThan": "0.15.1",
"status": "affected",
"version": "0.15.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7884",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:27:48.684901Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:42:09.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://crates.io/crates/ic-cdk",
"defaultStatus": "unaffected",
"packageName": "ic-cdk",
"product": "ic-cdk",
"repo": "https://github.com/dfinity/cdk-rs",
"vendor": "Internet Computer",
"versions": [
{
"changes": [
{
"at": "0.8.2",
"status": "unaffected"
}
],
"lessThan": "0.8.2",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "0.9.3",
"status": "unaffected"
}
],
"lessThan": "0.9.3",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "0.10.1",
"status": "unaffected"
}
],
"lessThan": "0.10.1",
"status": "affected",
"version": "0.10.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "0.11.6",
"status": "unaffected"
}
],
"lessThan": "0.11.5",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "0.12.2",
"status": "unaffected"
}
],
"lessThan": "0.12.2",
"status": "affected",
"version": "0.12.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "0.13.5",
"status": "unaffected"
}
],
"lessThan": "0.13.4",
"status": "affected",
"version": "0.13.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "0.14.1",
"status": "unaffected"
}
],
"lessThan": "0.14.1",
"status": "affected",
"version": "0.14.0",
"versionType": "semver"
},
{
"changes": [
{
"at": "0.15.1",
"status": "unaffected"
}
],
"lessThan": "0.15.1",
"status": "affected",
"version": "0.15.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When a canister method is called via \u003ctt\u003eic_cdk::call*\u003c/tt\u003e , a new Future \u003ctt\u003eCallFuture\u0026nbsp;\u003c/tt\u003eis created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called \u003ctt\u003eCallFutureState\u003c/tt\u003e. A bug in the polling implementation of the \u003ctt\u003eCallFuture\u003c/tt\u003e allows multiple references to be held for this internal state and not all references were dropped before the \u003ctt\u003eFuture\u003c/tt\u003e\u0026nbsp;is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister\u0027s heap and thus causing a memory leak. \u003cbr\u003e\u003ch3\u003eImpact\u0026nbsp;\u003c/h3\u003eCanisters built in Rust with \u003ctt\u003eic_cdk\u003c/tt\u003e\u0026nbsp;and \u003ctt\u003eic_cdk_timers\u003c/tt\u003e\u0026nbsp;are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. \u003cb\u003eIn the worst case, this could lead to heap memory exhaustion triggered by an attacker. \u003c/b\u003eMotoko based canisters are not affected by the bug.\u003cbr\u003e\u003ch3\u003ePatches\u003c/h3\u003eThe patch has been backported to all minor versions between \u003ctt\u003e\u0026gt;= 0.8.0, \u0026lt;= 0.15.0\u003c/tt\u003e. The patched versions available are \u003ctt\u003e0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1 \u003c/tt\u003eand their previous versions have been yanked. \u003ch3\u003eWorkarounds\u003c/h3\u003eThere are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of \u003ctt\u003eic_cdk\u003c/tt\u003e\u0026nbsp;to avoid running out of Wasm heap memory. \u003cbr\u003e\u003cblockquote\u003eUpgrading the canisters (without updating `ic_cdk`) also frees the leaked memory but it\u0027s only a temporary solution.\u003c/blockquote\u003e"
}
],
"value": "When a canister method is called via ic_cdk::call* , a new Future CallFuture\u00a0is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called CallFutureState. A bug in the polling implementation of the CallFuture allows multiple references to be held for this internal state and not all references were dropped before the Future\u00a0is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister\u0027s heap and thus causing a memory leak. \nImpact\u00a0Canisters built in Rust with ic_cdk\u00a0and ic_cdk_timers\u00a0are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker. Motoko based canisters are not affected by the bug.\nPatchesThe patch has been backported to all minor versions between \u003e= 0.8.0, \u003c= 0.15.0. The patched versions available are 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1 and their previous versions have been yanked. WorkaroundsThere are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of ic_cdk\u00a0to avoid running out of Wasm heap memory. \nUpgrading the canisters (without updating `ic_cdk`) also frees the leaked memory but it\u0027s only a temporary solution."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:01:20.585Z",
"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"shortName": "Dfinity"
},
"references": [
{
"url": "https://github.com/dfinity/cdk-rs/pull/509"
},
{
"url": "https://docs.rs/ic-cdk/latest/ic_cdk/"
},
{
"url": "https://internetcomputer.org/docs/current/references/ic-interface-spec"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory leak when calling a canister method via `ic_cdk::call`",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"assignerShortName": "Dfinity",
"cveId": "CVE-2024-7884",
"datePublished": "2024-09-05T13:01:20.585Z",
"dateReserved": "2024-08-16T15:30:36.784Z",
"dateUpdated": "2024-09-05T14:42:09.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4435 (GCVE-0-2024-4435)
Vulnerability from cvelistv5 – Published: 2024-05-21 09:41 – Updated: 2024-08-01 20:40
VLAI?
Summary
When storing unbounded types in a BTreeMap, a node is represented as a linked list of "memory chunks". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the BTreeMap, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.
This issue has been fixed in #212 https://github.com/dfinity/stable-structures/pull/212 by changing the logic for deallocating nodes to ensure that all of a node's memory chunks are deallocated and users are asked to upgrade to version 0.6.4.. Tests have been added to prevent regressions of this nature moving forward. Note: Users of stable-structure < 0.6.0 are not affected.
Users who are not storing unbounded types in BTreeMap are not affected and do not need to upgrade. Otherwise, an upgrade to version 0.6.4 is necessary.
Severity ?
5.9 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Internet Computer | ic-stable-structures |
Affected:
0.6.0 , < 0.6.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T20:17:52.489055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:57.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/stable-structures/pull/212"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/"
},
{
"tags": [
"x_transferred"
],
"url": "https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://crates.io/crates/ic-stable-structures",
"defaultStatus": "unaffected",
"packageName": "ic-stable-structures",
"product": "ic-stable-structures",
"repo": "https://github.com/dfinity/stable-structures",
"vendor": "Internet Computer",
"versions": [
{
"lessThan": "0.6.4",
"status": "affected",
"version": "0.6.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-05-21T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen storing unbounded types in a \u003ccode\u003eBTreeMap\u003c/code\u003e, a node is represented as a linked list of \"memory chunks\". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the \u003ccode\u003eBTreeMap\u003c/code\u003e, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.\u003c/p\u003e\u003cp\u003eThis issue has been fixed in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/dfinity/stable-structures/pull/212\"\u003e#212\u003c/a\u003e\u0026nbsp;by changing the logic for deallocating nodes to ensure that all of a node\u0027s memory chunks are deallocated \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eand users are asked to upgrade to version \u003c/span\u003e\u003ccode\u003e0.6.4\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e. Tests have been added to prevent regressions of this nature moving forward. \u003cstrong\u003eNote:\u003c/strong\u003e\u0026nbsp;Users of stable-structure \u0026lt; 0.6.0 are not affected.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers who are not storing unbounded types in \u003c/span\u003e\u003ccode\u003eBTreeMap\u003c/code\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;are not affected and do not need to upgrade. Otherwise, an upgrade to version \u003c/span\u003e\u003ccode\u003e0.6.4\u003c/code\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;is necessary.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "When storing unbounded types in a BTreeMap, a node is represented as a linked list of \"memory chunks\". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the BTreeMap, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.\n\nThis issue has been fixed in #212 https://github.com/dfinity/stable-structures/pull/212 \u00a0by changing the logic for deallocating nodes to ensure that all of a node\u0027s memory chunks are deallocated and users are asked to upgrade to version 0.6.4.. Tests have been added to prevent regressions of this nature moving forward. Note:\u00a0Users of stable-structure \u003c 0.6.0 are not affected.\n\nUsers who are not storing unbounded types in BTreeMap\u00a0are not affected and do not need to upgrade. Otherwise, an upgrade to version 0.6.4\u00a0is necessary."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131: Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-21T09:41:35.242Z",
"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"shortName": "Dfinity"
},
"references": [
{
"url": "https://github.com/dfinity/stable-structures/pull/212"
},
{
"url": "https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/"
},
{
"url": "https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "BTreeMap memory leak when deallocating nodes with overflows",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"assignerShortName": "Dfinity",
"cveId": "CVE-2024-4435",
"datePublished": "2024-05-21T09:41:35.242Z",
"dateReserved": "2024-05-02T16:25:27.399Z",
"dateUpdated": "2024-08-01T20:40:47.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1631 (GCVE-0-2024-1631)
Vulnerability from cvelistv5 – Published: 2024-02-21 02:12 – Updated: 2024-08-16 14:55
VLAI?
Summary
Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller.
Severity ?
9.1 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Internet Computer | agent-js |
Affected:
v0.20.0-beta.0 , < v1.0.1
(1.0.1)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:20.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/agent-js/pull/851"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.npmjs.com/package/@dfinity/identity/v/1.0.1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/agent-js"
},
{
"tags": [
"x_transferred"
],
"url": "https://agent-js.icp.xyz/identity/index.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dfinity:agent-js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "agent-js",
"vendor": "dfinity",
"versions": [
{
"lessThan": "v1.0.1",
"status": "affected",
"version": "v0.20.0-beta.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1631",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T20:25:01.551447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T14:55:17.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "agent-js",
"programFiles": [
"https://github.com/dfinity/agent-js/blob/main/packages/identity/src/identity/ed25519.ts"
],
"vendor": "Internet Computer",
"versions": [
{
"lessThan": "v1.0.1",
"status": "affected",
"version": "v0.20.0-beta.0",
"versionType": "1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. \u003cbr\u003e"
}
],
"value": "Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. \n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Broken access control"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T05:09:43.340Z",
"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"shortName": "Dfinity"
},
"references": [
{
"url": "https://github.com/dfinity/agent-js/pull/851"
},
{
"url": "https://www.npmjs.com/package/@dfinity/identity/v/1.0.1"
},
{
"url": "https://github.com/dfinity/agent-js"
},
{
"url": "https://agent-js.icp.xyz/identity/index.html"
},
{
"url": "https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"assignerShortName": "Dfinity",
"cveId": "CVE-2024-1631",
"datePublished": "2024-02-21T02:12:38.403Z",
"dateReserved": "2024-02-19T15:58:47.713Z",
"dateUpdated": "2024-08-16T14:55:17.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6245 (GCVE-0-2023-6245)
Vulnerability from cvelistv5 – Published: 2023-12-08 14:26 – Updated: 2024-12-02 14:33
VLAI?
Summary
The Candid library causes a Denial of Service while
parsing a specially crafted payload with 'empty' data type. For example,
if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop.
Canisters using affected versions of candid
are exposed to denial of service by causing the decoding to run
indefinitely until the canister traps due to reaching maximum
instruction limit per execution round. Repeated exposure to the payload
will result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.
Severity ?
7.5 (High)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Internet Computer | Candid |
Affected:
0.9.0 , < 0.9.10
(0.0.0)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/candid/pull/478"
},
{
"tags": [
"x_transferred"
],
"url": "https://internetcomputer.org/docs/current/references/candid-ref"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/candid/blob/master/spec/Candid.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3j"
},
{
"tags": [
"x_transferred"
],
"url": "https://internetcomputer.org/docs/current/references/ic-interface-spec"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6245",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T14:31:05.379872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T14:33:16.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Candid",
"repo": "https://github.com/dfinity/candid",
"vendor": "Internet Computer",
"versions": [
{
"lessThan": "0.9.10",
"status": "affected",
"version": "0.9.0",
"versionType": "0.0.0"
}
]
}
],
"datePublic": "2023-12-08T01:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Candid library causes a Denial of Service while \nparsing a specially crafted payload with \u0027empty\u0027 data type. For example,\n if the payload is \u003ccode\u003e`record { * ; empty }`\u003c/code\u003e and the canister interface expects \u003ccode\u003e`record { * }`\u003c/code\u003e then the Rust candid decoder treats \u003ccode\u003eempty\u003c/code\u003e as an extra field required by the type. The problem with the type \u003ccode\u003eempty\u003c/code\u003e is that the candid Rust library wrongly categorizes \u003ccode\u003eempty\u003c/code\u003e as a recoverable error when skipping the field and thus causing an infinite decoding loop.\u003c/p\u003e\n\u003cp\u003eCanisters using affected versions of candid\n are exposed to denial of service by causing the decoding to run \nindefinitely until the canister traps due to reaching maximum \ninstruction limit per execution round. Repeated exposure to the payload \nwill result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "The Candid library causes a Denial of Service while \nparsing a specially crafted payload with \u0027empty\u0027 data type. For example,\n if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop.\n\n\nCanisters using affected versions of candid\n are exposed to denial of service by causing the decoding to run \nindefinitely until the canister traps due to reaching maximum \ninstruction limit per execution round. Repeated exposure to the payload \nwill result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.\n\n\n\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of Service"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1288",
"description": "CWE-1288 Improper Validation of Consistency within Input",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-168",
"description": "CWE-168 Improper Handling of Inconsistent Special Elements",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-08T14:26:09.331Z",
"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"shortName": "Dfinity"
},
"references": [
{
"url": "https://github.com/dfinity/candid/pull/478"
},
{
"url": "https://internetcomputer.org/docs/current/references/candid-ref"
},
{
"url": "https://github.com/dfinity/candid/blob/master/spec/Candid.md"
},
{
"url": "https://github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3j"
},
{
"url": "https://internetcomputer.org/docs/current/references/ic-interface-spec"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Infinite decoding loop through specially crafted payload",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"assignerShortName": "Dfinity",
"cveId": "CVE-2023-6245",
"datePublished": "2023-12-08T14:26:09.331Z",
"dateReserved": "2023-11-21T16:28:51.715Z",
"dateUpdated": "2024-12-02T14:33:16.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}