Описание
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer index validation, which can cause the whole node to crash. These malicious messages aren't self-propagating since the bug is in the validator. An attacker needs to directly send the message to all targets. This issue is fixed in version 0.8.7.
Ссылки
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.8.7 (исключая)
cpe:2.3:a:filecoin:go-f3:*:*:*:*:*:*:*:*
EPSS
Процентиль: 24%
0.00082
Низкий
7.5 High
CVSS3
Дефекты
CWE-190
Связанные уязвимости
CVSS3: 7.5
github
4 месяца назад
go-f3 module vulnerable to integer overflow leading to panic
EPSS
Процентиль: 24%
0.00082
Низкий
7.5 High
CVSS3
Дефекты
CWE-190