Information disclosure in EOS - #VU14540
Published: August 28, 2018
Vulnerability identifier: #VU14540
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: EOS Essentials
Affected software:
EOS
EOS
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to unspecified flaw. A remote attacker can install code on his account, insert large amounts of garbage into rows when dapps/users send the tokens, lock up RAM and steal web resources from the victims' accounts with no authentication.
The weakness exists due to unspecified flaw. A remote attacker can install code on his account, insert large amounts of garbage into rows when dapps/users send the tokens, lock up RAM and steal web resources from the victims' accounts with no authentication.
Remediation
As a temporary solution, users can send tokens to a proxy account with no available RAM, and with a memo where the first word of the memo is the account you eventually want to send the tokens to, the only account they can assume database row permissions for is the proxy, which has no RAM.