Vulnerability DatabaseCVE-2022-35917
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-35917
August 01, 2022
Solana Pay is a protocol and set of reference implementations that enable developers to incorporate decentralized payments into their apps and services. When a Solana Pay transaction is located using a reference key, it may be checked to represent a transfer of the desired amount to the recipient, using the supplied "validateTransfer" function. An edge case regarding this mechanism could cause the validation logic to validate multiple transfers. This issue has been patched as of version "0.2.1". Users of the Solana Pay SDK should upgrade to it. There are no known workarounds for this issue.
Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (6)
https://github.com/solana-labs/solana-pay
https://github.com/solana-labs/solana-pay/commit/ac6ce0d0a81137700874a8bf5a7caac3be999fad
https://github.com/solana-labs/solana-pay/security/advisories/GHSA-j47c-j42c-mwqq
https://github.com/solana-labs/solana-pay/blob/master/core/src/validateTransfer.ts
https://nvd.nist.gov/vuln/detail/CVE-2022-35917
https://github.com/solana-labs/solana-pay/blob/master/SPEC.md#reference
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Always-Incorrect Control Flow Implementation
CWE-670
EPSS
Base Score:
0.30