Vulnerability Details : CVE-2020-11014
Electron-Cash-SLP before version 3.6.2 has a vulnerability. All token creators that use the "Mint Tool" feature of the Electron Cash SLP Edition are at risk of sending the minting authority baton to the wrong SLP address. Sending the mint baton to the wrong address will give another party the ability to issue new tokens or permanently destroy future minting capability. This is fixed version 3.6.2.
Products affected by CVE-2020-11014
- cpe:2.3:a:simpleledger:electron-cash-slp:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11014
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11014
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:P |
10.0
|
4.9
|
NIST | |
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
3.9
|
4.0
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N |
1.6
|
4.0
|
GitHub, Inc. |
References for CVE-2020-11014
-
https://github.com/kristovatlas/rfc/blob/master/bips/bip-li01.mediawiki
rfc/bip-li01.mediawiki at master · kristovatlas/rfc · GitHubThird Party Advisory
-
https://github.com/simpleledger/Electron-Cash-SLP/commit/ea3912c3d508ba81b280ef7d78648464f7f76fb8
patch for critical vulnerability in mint tool · simpleledger/Electron-Cash-SLP@ea3912c · GitHubPatch;Third Party Advisory
-
https://github.com/simpleledger/Electron-Cash-SLP/issues/126
Mint baton sent to token receiver address · Issue #126 · simpleledger/Electron-Cash-SLP · GitHubThird Party Advisory
-
https://github.com/simpleledger/Electron-Cash-SLP/security/advisories/GHSA-cchm-grx2-g873
BIP LI01 output reordering may cause malformed SLP MINT transactions · Advisory · simpleledger/Electron-Cash-SLP · GitHubThird Party Advisory
Jump to