GHSA-XFRC-7MJ2-5XH9

Vulnerability from github – Published: 2020-09-03 17:14 – Updated: 2020-08-31 18:44
VLAI?
Summary
Undefined Behavior in zencashjs
Details

Versions of zencashjs prior to 1.2.0 may cause loss of funds when used with cryptocurrency wallets. The package relies on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction (P2PKH or P2SH). Due to the base58 address prefixes chosen in Horizen there exists the possibility of a clash of address prefixes for testnet P2PKH and mainnet P2SH addresses, testnet P2PKH addresses start with “zt” while a subset of mainnet P2SH addresses can also start with “zt”. The package interprets transactions sent to a “zt” P2SH address on mainnet as P2PKH transactions erroneously. Any funds sent to a mainnet P2SH multisignature address starting with “zt” will be sent to the wrong address and be lost.

Recommendation

Upgrade to version 1.2.0 or later.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "zencashjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:44:53Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Versions of `zencashjs` prior to 1.2.0 may cause loss of funds when used with cryptocurrency wallets. The package relies on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction (P2PKH or P2SH). Due to the base58 address prefixes chosen in Horizen there exists the possibility of a clash of address prefixes for testnet P2PKH and mainnet P2SH addresses, testnet P2PKH addresses start with \u201czt\u201d while a subset of mainnet P2SH addresses can also start with \u201czt\u201d. The package interprets transactions sent to a \u201czt\u201d P2SH address on mainnet as P2PKH transactions erroneously. Any funds sent to a mainnet P2SH multisignature address starting with \u201czt\u201d will be sent to the wrong address and be lost.\n\n\n## Recommendation\n\nUpgrade to version 1.2.0 or later.",
  "id": "GHSA-xfrc-7mj2-5xh9",
  "modified": "2020-08-31T18:44:53Z",
  "published": "2020-09-03T17:14:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZencashOfficial/zencashjs/commit/db01bd94b9f8a956d7835e934500eaa643f8bd13#diff-42d8d2088a96641b563b25ad908b0c0fR146"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1035"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Undefined Behavior in zencashjs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.