CVE-2019-7167

{"id": "CVE-2019-7167", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-03-27T02:29:00.250", "references": [{"url": "http://fortune.com/2019/02/05/zcash-vulnerability-cryptocurrency/", "tags": ["Press/Media Coverage", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/JinBean/CVE-Extension", "source": "cve@mitre.org"}, {"url": "https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "Zcash, before the Sapling network upgrade (2018-10-28), had a counterfeiting vulnerability. A key-generation process, during evaluation of polynomials related to a to-be-proven statement, produced certain bypass elements. Availability of these elements allowed a cheating prover to bypass a consistency check, and consequently transform the proof of one statement into an ostensibly valid proof of a different statement, thereby breaking the soundness of the proof system. This misled the original Sprout zk-SNARK verifier into accepting the correctness of a transaction."}, {"lang": "es", "value": "Zcash, antes de la actualizaci\u00f3n de la red Sapling (28/10/2018), ten\u00eda una vulnerabilidad de falsificaci\u00f3n. Un proceso generador de claves durante la evaluaci\u00f3n de polinomios relacionados con una instrucci\u00f3n por confirmar produc\u00eda ciertos elementos de omisi\u00f3n. La disponibilidad de estos elementos permit\u00eda que un \"prover\" falso omitiese una comprobaci\u00f3n de consistencia y, en consecuencia, transformase la prueba de una instrucci\u00f3n en una prueba ostensiblemente v\u00e1lida de una instrucci\u00f3n diferente, quebrantando as\u00ed la seguridad del sistema de pruebas. Esto hac\u00eda que el verificador Sprout zk-SNARK original aceptase que una transacci\u00f3n fuese correcta."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:z.cash:zcash:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA26BB19-6E16-4B93-BADC-1859FE3AE39C", "versionEndIncluding": "2.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}