Improper Validation Affecting github.com/lightningnetwork/lnd package, versions <0.11.0-beta


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (43rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMLIGHTNINGNETWORKLND-1047871
  • published2 Dec 2020
  • disclosed2 Dec 2020
  • creditAntoine Riard

Introduced: 2 Dec 2020

CVE-2020-26896  (opens in a new tab)
CWE-601  (opens in a new tab)

How to fix?

Upgrade github.com/lightningnetwork/lnd to version 0.11.0-beta or higher.

Overview

github.com/lightningnetwork/lnd is a complete implementation of a Lightning Network node.

Affected versions of this package are vulnerable to Improper Validation. An lnd node can be coerced into revealing an invoice pre-image for a forwarded HTLC with a colliding payment hash.

References

CVSS Scores

version 3.1