GHSA-MJVM-MHGC-Q4GP

Vulnerability from github – Published: 2022-08-18 19:18 – Updated: 2024-10-24 21:48
VLAI
Summary
Incorrect parsing of EVM reversion exit reason in RPC
Details

Impact

A low severity security issue was discovered affecting parsing of the RPC result of the exit reason in case of EVM reversion. In release build, this would cause the exit reason being incorrectly parsed and returned by RPC. In debug build, this would cause an overflow panic.

No action is needed unless you have a bridge node that needs to distinguish different reversion exit reasons and you used RPC for this.

Patches

The issue is patched in https://github.com/paritytech/frontier/pull/820

Workarounds

None.

References

PR https://github.com/paritytech/frontier/pull/820

For more information

If you have any questions or comments about this advisory: * Email Wei Tang

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "fc-rpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-18T19:18:25Z",
    "nvd_published_at": "2022-08-19T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA low severity security issue was discovered affecting parsing of the RPC result of the exit reason in case of EVM reversion. In release build, this would cause the exit reason being incorrectly parsed and returned by RPC. In debug build, this would cause an overflow panic.\n\nNo action is needed unless you have a bridge node that needs to distinguish different reversion exit reasons and you used RPC for this.\n\n### Patches\n\nThe issue is patched in https://github.com/paritytech/frontier/pull/820\n\n### Workarounds\n\nNone.\n\n### References\n\nPR https://github.com/paritytech/frontier/pull/820\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email [Wei Tang](mailto:wei@that.world)",
  "id": "GHSA-mjvm-mhgc-q4gp",
  "modified": "2024-10-24T21:48:34Z",
  "published": "2022-08-18T19:18:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/frontier/security/advisories/GHSA-mjvm-mhgc-q4gp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36008"
    },
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/frontier/pull/820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/frontier/commit/fff8cc43b7756ce3979a38fc473f38e6e24ac451"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/paritytech/frontier"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect parsing of EVM reversion exit reason in RPC"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.