CVE-2021-29511

Опубликовано: 12 мая 2021

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use evm_core::Memory::copy_large, the evm crate can over-allocate memory when it is not needed, making it possible for an attacker to perform denial-of-service attack. The flaw was corrected in commit 19ade85. Users should upgrade to ==0.21.1, ==0.23.1, ==0.24.1, ==0.25.1, >=0.26.1. There are no workarounds. Please upgrade your evm crate version.

Ссылки

https://crates.io/crates/evm
Third Party Advisory
https://github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8dd
Patch
Third Party Advisory
https://github.com/rust-blockchain/evm/security/advisories/GHSA-4jwq-572w-4388
Patch
Third Party Advisory
https://crates.io/crates/evm
Third Party Advisory
https://github.com/rust-blockchain/evm/commit/19ade858c430ab13eb562764a870ac9f8506f8dd
Patch
Third Party Advisory
https://github.com/rust-blockchain/evm/security/advisories/GHSA-4jwq-572w-4388
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:evm_project:evm:*:*:*:*:*:rust:*:*

Версия до 0.21.0 (включая)

cpe:2.3:a:evm_project:evm:0.22.0:*:*:*:*:rust:*:*

cpe:2.3:a:evm_project:evm:0.23.0:*:*:*:*:rust:*:*

cpe:2.3:a:evm_project:evm:0.24.0:*:*:*:*:rust:*:*

cpe:2.3:a:evm_project:evm:0.25.0:*:*:*:*:rust:*:*

cpe:2.3:a:evm_project:evm:0.26.0:*:*:*:*:rust:*:*

EPSS

Процентиль: 59%

0.00376

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-770

CWE-787

Связанные уязвимости

GHSA-4jwq-572w-4388