VDB
CVE-2022-47930
CVE-2022-47930
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Reported by mitre · Published April 21, 2023
An issue was discovered in IO FinNet tss-lib before 2.0.0. The parameter ssid for defining a session id is not used through the MPC implementation, which makes replaying and spoofing of messages easier. In particular, the Schnorr proof of knowledge implemented in sch.go does not utilize a session id, context, or random nonce in the generation of the challenge. This could allow a malicious user or an eavesdropper to replay a valid proof sent in the past.
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| n/a | n/a | n/a, n/a, * |
| github.com | binance-chain/tss-lib | 0, 0, 0 |
| github.com | bnb-chain/tss-lib | 0, 0, 0 |
| github.com | IoFinnet/tss-lib | 0, 0, 0 |
Timeline
- Apr 21, 2023 CVE Published
- Apr 22, 2023 EPSS Score
- May 29, 2023 EPSS Score
- Jul 6, 2023 EPSS Score
- Aug 12, 2023 EPSS Score
- Sep 18, 2023 EPSS Score
- Oct 26, 2023 EPSS Score
- Dec 2, 2023 EPSS Score
- Jan 8, 2024 EPSS Score
- Feb 14, 2024 EPSS Score
- Mar 23, 2024 EPSS Score
- Apr 29, 2024 EPSS Score
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-47930 advisory
- https://medium.com/@iofinnet/security-disclosure-for-ecdsa-and-eddsa-threshold-signature-schemes-4e969af7155b url
- https://github.com/advisories/GHSA-c58h-qv6g-fw74 advisory
- https://github.com/bnb-chain/tss-lib/pull/256 patch
- https://github.com/bnb-chain/tss-lib/commit/1a14f3ac9ecbf6115e80d44c7fff16bcc3139250 patch
- https://github.com/bnb-chain/tss-lib url