Skip to content

Incorrect Default Permissions in Binance tss-lib

High severity GitHub Reviewed Published Jun 29, 2021 to the GitHub Advisory Database • Updated Oct 2, 2023

Package

gomod github.com/binance-chain/tss-lib (Go)

Affected versions

< 1.2.0

Patched versions

1.2.0

Description

The keygen protocol implementation in Binance tss-lib before 1.2.0 allows attackers to generate crafted h1 and h2 parameters in order to compromise a signing round or obtain sensitive information from other parties.

Specific Go Packages Affected

github.com/binance-chain/tss-lib/ecdsa/keygen

References

Reviewed May 25, 2021
Published to the GitHub Advisory Database Jun 29, 2021
Last updated Oct 2, 2023

Severity

High
7.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:R

Weaknesses

CVE ID

CVE-2020-12118

GHSA ID

GHSA-399h-cmvp-qgx5

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.