Search criteria
6 vulnerabilities found for electrum by electrum
FKIE_CVE-2022-31246
Vulnerability from fkie_nvd - Published: 2022-06-17 14:15 - Updated: 2024-11-21 07:04
Severity
Summary
paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355 | Third Party Advisory | |
| cve@mitre.org | https://twitter.com/ElectrumWallet/status/1534540879905665028 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://twitter.com/ElectrumWallet/status/1534540879905665028 | Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:electrum:electrum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C9EA996-54C5-46F8-96EE-F44B1E972B09",
"versionEndExcluding": "4.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename."
},
{
"lang": "es",
"value": "El archivo paymentrequest.py en Electrum versiones anteriores a 4.2.2, permite una URL file:// en el par\u00e1metro r de una petici\u00f3n de pago (por ejemplo, dentro de los datos del c\u00f3digo QR). En Windows, esto puede conllevar a una captura de credenciales a trav\u00e9s de SMB. En Linux y UNIX, puede conllevar a una denegaci\u00f3n de servicio al especificar el nombre de archivo /dev/cero"
}
],
"id": "CVE-2022-31246",
"lastModified": "2024-11-21T07:04:12.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-17T14:15:08.127",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://twitter.com/ElectrumWallet/status/1534540879905665028"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://twitter.com/ElectrumWallet/status/1534540879905665028"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-88"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-6353
Vulnerability from fkie_nvd - Published: 2018-01-27 15:29 - Updated: 2024-11-21 04:10
Severity
Summary
The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/spesmilo/electrum/issues/3678 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://github.com/spesmilo/electrum/pull/3700 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/spesmilo/electrum/issues/3678 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/spesmilo/electrum/pull/3700 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:electrum:electrum:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7D2CEE8-E91B-4EC4-8029-B3A383D65944",
"versionEndIncluding": "2.9.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:electrum:electrum:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B628024B-A496-4180-8DFA-900F8A2D4E03",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:electrum:electrum:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "23426519-FA35-4B1A-81EB-F23B140A07EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:electrum:electrum:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2C318014-C91A-44D9-B21A-34B390CB4FF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:electrum:electrum:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "33673B3D-7620-48A1-BD6F-2DD7A8096C06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:electrum:electrum:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "547E5D84-0ECE-472D-B33E-9D10961E362A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022."
},
{
"lang": "es",
"value": "La consola Python en Electrum hasta la versi\u00f3n 2.9.4 y las versiones 3.x hasta la 3.0.5 son compatibles con c\u00f3digo Python arbitrario sin considerar (1) ataques de ingenier\u00eda social en los que un usuario pega c\u00f3digo que no entiende y (2) c\u00f3digo pegado por un ataque pr\u00f3ximo f\u00edsicamente en una estaci\u00f3n de trabajo sin atender. Esto facilita que los atacantes roben bitcoins mediante c\u00f3digo de enlace que se ejecuta posteriormente, una vez se ha introducido la contrase\u00f1a. Esta vulnerabilidad es diferente de CVE-2018-1000022."
}
],
"id": "CVE-2018-6353",
"lastModified": "2024-11-21T04:10:32.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-27T15:29:00.270",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/spesmilo/electrum/issues/3678"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/spesmilo/electrum/pull/3700"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/spesmilo/electrum/issues/3678"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/spesmilo/electrum/pull/3700"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-31246 (GCVE-0-2022-31246)
Vulnerability from cvelistv5 – Published: 2022-06-17 13:39 – Updated: 2024-08-03 07:11
VLAI
Summary
paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/spesmilo/electrum/security/adv… | x_refsource_MISC |
| https://twitter.com/ElectrumWallet/status/1534540… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/ElectrumWallet/status/1534540879905665028"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-17T13:41:59.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/ElectrumWallet/status/1534540879905665028"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31246",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355",
"refsource": "MISC",
"url": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355"
},
{
"name": "https://twitter.com/ElectrumWallet/status/1534540879905665028",
"refsource": "MISC",
"url": "https://twitter.com/ElectrumWallet/status/1534540879905665028"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31246",
"datePublished": "2022-06-17T13:39:22.000Z",
"dateReserved": "2022-05-20T00:00:00.000Z",
"dateUpdated": "2024-08-03T07:11:39.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6353 (GCVE-0-2018-6353)
Vulnerability from cvelistv5 – Published: 2018-01-27 15:00 – Updated: 2024-09-17 00:45
VLAI
Summary
The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/spesmilo/electrum/issues/3678 | x_refsource_MISC |
| https://github.com/spesmilo/electrum/pull/3700 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:01:48.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/spesmilo/electrum/issues/3678"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/spesmilo/electrum/pull/3700"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-27T15:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spesmilo/electrum/issues/3678"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spesmilo/electrum/pull/3700"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6353",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/spesmilo/electrum/issues/3678",
"refsource": "MISC",
"url": "https://github.com/spesmilo/electrum/issues/3678"
},
{
"name": "https://github.com/spesmilo/electrum/pull/3700",
"refsource": "MISC",
"url": "https://github.com/spesmilo/electrum/pull/3700"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6353",
"datePublished": "2018-01-27T15:00:00.000Z",
"dateReserved": "2018-01-27T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:45:57.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31246 (GCVE-0-2022-31246)
Vulnerability from nvd – Published: 2022-06-17 13:39 – Updated: 2024-08-03 07:11
VLAI
Summary
paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/spesmilo/electrum/security/adv… | x_refsource_MISC |
| https://twitter.com/ElectrumWallet/status/1534540… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/ElectrumWallet/status/1534540879905665028"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-17T13:41:59.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/ElectrumWallet/status/1534540879905665028"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31246",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "paymentrequest.py in Electrum before 4.2.2 allows a file:// URL in the r parameter of a payment request (e.g., within QR code data). On Windows, this can lead to capture of credentials over SMB. On Linux and UNIX, it can lead to a denial of service by specifying the /dev/zero filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355",
"refsource": "MISC",
"url": "https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355"
},
{
"name": "https://twitter.com/ElectrumWallet/status/1534540879905665028",
"refsource": "MISC",
"url": "https://twitter.com/ElectrumWallet/status/1534540879905665028"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31246",
"datePublished": "2022-06-17T13:39:22.000Z",
"dateReserved": "2022-05-20T00:00:00.000Z",
"dateUpdated": "2024-08-03T07:11:39.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6353 (GCVE-0-2018-6353)
Vulnerability from nvd – Published: 2018-01-27 15:00 – Updated: 2024-09-17 00:45
VLAI
Summary
The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/spesmilo/electrum/issues/3678 | x_refsource_MISC |
| https://github.com/spesmilo/electrum/pull/3700 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:01:48.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/spesmilo/electrum/issues/3678"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/spesmilo/electrum/pull/3700"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-27T15:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spesmilo/electrum/issues/3678"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spesmilo/electrum/pull/3700"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6353",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/spesmilo/electrum/issues/3678",
"refsource": "MISC",
"url": "https://github.com/spesmilo/electrum/issues/3678"
},
{
"name": "https://github.com/spesmilo/electrum/pull/3700",
"refsource": "MISC",
"url": "https://github.com/spesmilo/electrum/pull/3700"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6353",
"datePublished": "2018-01-27T15:00:00.000Z",
"dateReserved": "2018-01-27T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:45:57.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}