Multiple vulnerabilities in CPP and Parity Ethereum
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2017-12112 CVE-2017-12113 CVE-2017-12114 CVE-2017-12115 CVE-2017-12116 CVE-2017-12117 CVE-2017-12118 CVE-2017-12119 CVE-2017-14457 CVE-2017-14460 |
| CWE-ID | CWE-285 CWE-248 CWE-125 CWE-942 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
CPP-Ethereum Universal components / Libraries / Software for developers Parity-Ethereum Universal components / Libraries / Software for developers |
| Vendor |
Ethereum Parity Technologies |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Improper authorization
EUVDB-ID: #VU9970
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-12112
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization on the target system.
The weakness exists in admin_addPeer API of cpp-ethereum's JSON-RPC due to improper authorization. A remote attacker can make a specially crafted JSON request, gain access to the restricted functionality and bypass authorization.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
CPP-Ethereum: All versions
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0464
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper authorization
EUVDB-ID: #VU9969
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-12113
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization on the target system.
The weakness exists in admin_nodeInfo API of cpp-ethereum's JSON-RPC due to improper authorization. A remote attacker can make a specially crafted JSON request, gain access to the restricted functionality and bypass authorization.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
CPP-Ethereum: All versions
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0465
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper authorization
EUVDB-ID: #VU9968
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-12114
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization on the target system.
The weakness exists in admin_peers API of cpp-ethereum's JSON-RPC due to improper authorization. A remote attacker can make a specially crafted JSON request, gain access to the restricted functionality and bypass authorization.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
CPP-Ethereum: All versions
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0466
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper authorization
EUVDB-ID: #VU9967
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-12115
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization on the target system.
The weakness exists in miner_setEtherbase API of cpp-ethereum's JSON-RPC due to improper authorization. A remote attacker can make a specially crafted JSON request, gain access to the restricted functionality and bypass authorization.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
CPP-Ethereum: All versions
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0467
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper authorization
EUVDB-ID: #VU9966
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-12116
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization on the target system.
The weakness exists in miner_setGasPrice API of cpp-ethereum's JSON-RPC due to improper authorization. A remote attacker can make a specially crafted JSON request, gain access to the restricted functionality and bypass authorization.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
CPP-Ethereum: All versions
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0468
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper authorization
EUVDB-ID: #VU9965
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-12117
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization on the target system.
The weakness exists in miner_start API of cpp-ethereum's JSON-RPC due to improper authorization. A remote attacker can make a specially crafted JSON request, gain access to the restricted functionality and bypass authorization.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
CPP-Ethereum: All versions
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0469
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper authorization
EUVDB-ID: #VU9964
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-12118
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization on the target system.
The weakness exists in miner_stop API of cpp-ethereum's JSON-RPC due to improper authorization. A remote attacker can make a specially crafted JSON request, gain access to the restricted functionality and bypass authorization.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
CPP-Ethereum: All versions
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0470
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Denial of service
EUVDB-ID: #VU9963
Risk: Low
CVSSv3.1: 6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-12119
CWE-ID:
CWE-248 - Uncaught Exception
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in multiple APIs of CPP-Ethereum's JSON-RPC due to an insufficient validation of user-supplied input. A remote attacker can make a specially crafted JSON request, trigger a unhandled exception and cause the application to crash.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
CPP-Ethereum: All versions
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0471
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds read
EUVDB-ID: #VU9962
Risk: Low
CVSSv3.1: 6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-14457
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.
The weakness exists due to an insufficient validation of user-supplied input. A remote attacker can create and send a specially crafted smart contract containing malicious code, trigger an out-of-bounds read and gain access to arbitrary data or cause the application to crash.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
CPP-Ethereum: All versions
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0503
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Privilege escalation
EUVDB-ID: #VU9955
Risk: Low
CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2017-14460
CWE-ID:
CWE-942 - Overly Permissive Cross-domain Whitelist
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an insufficient validation of user-supplied input. A remote attacker can send JSON object to JSON-RPC endpoint, trick the victim into visiting a specially crafted website, trigger overly permissive cross-domain (CORS) whitelist vulnerability in JSON-RPC and gain elevated privileges to perform further attacks.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
Parity-Ethereum: 1.7.8
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0508
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
