CVE-2021-32738 – stellar-sdk

Package

Manager: npm
Name: stellar-sdk
Vulnerable Version: >=0 <8.2.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00069 pctl0.21726

Details

Utils.readChallengeTx does not verify the server account signature The `Utils.readChallengeTx` function used in [SEP-10 Stellar Web Authentication](https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0010.md) states in its function documentation that it reads and validates the challenge transaction including verifying that the `serverAccountID` has signed the transaction. The function does not verify that the server has signed the transaction and has been fixed so that it does in v8.2.3. Applications that also used `Utils.verifyChallengeTxThreshold` or `Utils.verifyChallengeTxSigners` to verify the signatures including the server signature on the challenge transaction are unaffected as those functions verify the server signed the transaction. Applications calling `Utils.readChallengeTx` should update to v8.2.3 to ensure that the challenge transaction is completely valid and signed by the server creating the challenge transaction.

Metadata

Created: 2021-07-02T19:20:33Z
Modified: 2021-07-02T18:25:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-6cgh-hjpw-q3gq/GHSA-6cgh-hjpw-q3gq.json
CWE IDs: ["CWE-287", "CWE-347"]
Alternative ID: GHSA-6cgh-hjpw-q3gq
Finding: F204
Auto approve: 1