Vulnerability Details : CVE-2022-24738
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. In versions of evmos prior to 2.0.1 attackers are able to drain unclaimed funds from user addresses. To do this an attacker must create a new chain which does not enforce signature verification and connects it to the target evmos instance. The attacker can use this joined chain to transfer unclaimed funds. Users are advised to upgrade. There are no known workarounds for this issue.
Vulnerability category: BypassGain privilege
Products affected by CVE-2022-24738
- cpe:2.3:a:evmos:evmos:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24738
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24738
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
7.4
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2022-24738
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-24738
-
https://github.com/tharsis/evmos/security/advisories/GHSA-5jgq-x857-p8xw
Malicious Migration of Claimable Amount through IBC · Advisory · tharsis/evmos · GitHubThird Party Advisory
-
https://github.com/tharsis/evmos/releases/tag/v2.0.1
Release v2.0.1 · tharsis/evmos · GitHubRelease Notes;Third Party Advisory
-
https://github.com/tharsis/evmos/commit/28870258d4ee9f1b8aeef5eba891681f89348f71
Merge pull request from GHSA-5jgq-x857-p8xw · tharsis/evmos@2887025 · GitHubPatch;Third Party Advisory
Jump to