Lucene search

GitHub_MVULNRICHMENT:CVE-2024-32873

HistoryJun 06, 2024 - 6:13 p.m.

CVE-2024-32873 evmos allows transferring unvested tokens after delegations

2024-06-0618:13:54

CWE-682

GitHub_M

github.com

cve-2024-32873

evmos

ethereum virtual machine

cosmos network

unvested tokens

delegations

spendable balance

clawback vesting account

fixed in 18.0.0

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

AI Score

6.6

Confidence

Low

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0.

CNA Affected

[
  {
    "vendor": "evmos",
    "product": "evmos",
    "versions": [
      {
        "version": "< 18.0.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb

github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

AI Score

6.6

Confidence

Low

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-32873