Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-42448

Good to know:

icon

Date: October 4, 2023

Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, the specification states that the contestation period in the datum of the UTxO at the head validator must stay unchanged as the state progresses from Open to Closed (Close transaction), but no such check appears to be performed in the `checkClose` function of the head validator. This would allow a malicious participant to modify the contestation deadline of the head to either allow them to fanout the head without giving another participant the chance to contest, or prevent any participant from ever redistributing the funds locked in the head via a fan-out. Version 0.13.0 contains a patch for this issue.

Language: HASKELL

Severity Score

Related Resources (7)

https://github.com/input-output-hk/hydra/blob/master/hydra-plutus/src/Hydra/Contract/Head.hs#L320-L323
https://github.com/input-output-hk/hydra/security/advisories/GHSA-mgcx-6p7h-5996
https://nvd.nist.gov/vuln/detail/CVE-2023-42448
https://github.com/input-output-hk/hydra/blob/master/hydra-plutus/src/Hydra/Contract/Head.hs#L284-L296
https://github.com/input-output-hk/hydra/blob/master/CHANGELOG.md#0130---2023-10-03
https://github.com/input-output-hk/hydra/commit/2f45529729e28254a62f7a7c8d6649066923ed1f
https://www.mend.io/vulnerability-database/CVE-2023-42448

Severity Score

Weakness Type (CWE)

Input Validation

CWE-20

Improper Validation of Specified Quantity in Input

CWE-1284

Top Fix

icon

Upgrade Version

Upgrade to version 0.13.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us