CVE-2021-21405 Information

Jun 07, 2022 cve

Description

Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: \serialized\ and ## CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

https://github.com/filecoin-project/lotus/pull/5393 https://gist.github.com/wadeAlexC/2490d522e81a796af9efcad1686e6754 https://github.com/filecoin-project/lotus/security/advisories/GHSA-4g52-pqcj-phvh

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5

Share on: