lnd package, versions <0.12.1-beta

Attack Complexity

High
Privileges Required

High
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-GOLANG-GITHUBCOMLIGHTNINGNETWORKLND-1078504
published

23 Feb 2021
disclosed

23 Feb 2021
credit

Martin Habovštiak

Report a new vulnerability Found a mistake?

Introduced: 23 Feb 2021

CVE - NOT AVAILABLE CWE-94 Open this link in a new tab

How to fix?

Upgrade github.com/lightningnetwork/lnd to version 0.12.1-beta or higher.

Overview

github.com/lightningnetwork/lnd is a complete implementation of a Lightning Network node.

Affected versions of this package are vulnerable to Command Injection. Both the lnd and lncli binaries are executed to obtain their version before they have been verified against the release, a malicious binary could have already compromised the user's system before any of the checks had been performed.

References

GitHub Commit

Command Injection Affecting github.com/lightningnetwork/lnd package, versions <0.12.1-beta

Attack Complexity

Privileges Required

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 23 Feb 2021

How to fix?

Overview

References