Improper Input Validation Affecting frontier package, versions *


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.15% (53rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-FRONTIER-1731711
  • published14 Oct 2021
  • disclosed13 Oct 2021
  • creditUnknown

Introduced: 13 Oct 2021

CVE-2021-41138  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Improper Input Validation. In pallet-ethereum, a part of the transaction validation logic was called in the transaction pool validation, but not in block execution. Malicious actors can abuse this to put invalid transactions into a block.

The attack is limited such that the signature is always validated, and the majority of the validation is done again in the subsequent pallet-evm execution logic. However, a chain ID replay attack is possible. Moreover, spamming attacks are of main concern, while they are limited by substrate block size limits and other factors.

References

CVSS Scores

version 3.1