Vulnerability Details : CVE-2021-39193
Frontier is Substrate's Ethereum compatibility layer. Prior to commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26, a bug in `pallet-ethereum` can cause invalid transactions to be included in the Ethereum block state in `pallet-ethereum` due to not validating the input data size. Any invalid transactions included this way have no possibility to alter the internal Ethereum or Substrate state. The transaction will appear to have be included, but is of no effect as it is rejected by the EVM engine. The impact is further limited by Substrate extrinsic size constraints. A patch is available in commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26. There are no workarounds aside from applying the patch.
Vulnerability category: Input validation
Products affected by CVE-2021-39193
- cpe:2.3:a:parity:frontier:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-39193
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-39193
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2021-39193
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-39193
-
https://github.com/paritytech/frontier/pull/465
Validate transaction cost by tgmichel · Pull Request #465 · paritytech/frontier · GitHubPatch;Third Party Advisory
-
https://github.com/paritytech/frontier/security/advisories/GHSA-hw4v-5x4h-c3xm
Transaction validity oversight in pallet-ethereum · Advisory · paritytech/frontier · GitHubPatch;Third Party Advisory
-
https://github.com/paritytech/frontier/pull/465/commits/8a2b890a2fb477d5fedd0e4335b00623832849ae
Validate transaction cost by tgmichel · Pull Request #465 · paritytech/frontier · GitHubPatch;Third Party Advisory
-
https://github.com/paritytech/frontier/commit/0b962f218f0cdd796dadfe26c3f09e68f7861b26
Add transaction cost pre-validation (#465) · paritytech/frontier@0b962f2 · GitHubPatch;Third Party Advisory
Jump to