CVE-2021-25835

Published: Feb 8, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Cosmos Network Ethermint <= v0.4.0 is affected by a cross-chain transaction replay vulnerability in the EVM module. Since ethermint uses the same chainIDEpoch and signature schemes with ethereum for compatibility, a verified signature in ethereum is still valid in ethermint with the same msg content and chainIDEpoch, which enables "cross-chain transaction replay" attack.

Affected (1)

Products: Chainsafe: Ethermint

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Chainsafe Ethermint	Up to 0.4.0

Related CWEs

Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

References (4)

https://github.com/cosmos/ethermint/issues/687

Source: cve@mitre.org

Third Party Advisory

https://github.com/cosmos/ethermint/pull/692

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/cosmos/ethermint/issues/687

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/cosmos/ethermint/pull/692

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.