CVE-2024-34694

2024-06-1415:15:50

CWE-754

[email protected]

web.nvd.nist.gov

lnbits

lightning wallet

vulnerability

eclair

payment

funds

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

7.9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

LNbits is a Lightning wallet and accounts system. Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. This vulnerability can lead to a total loss of funds for the node backend. This vulnerability is fixed in 0.12.6.

Affected configurations

Vulners

Node

lnbitslnbitsRange<0.12.6

CNA Affected

[
  {
    "vendor": "lnbits",
    "product": "lnbits",
    "versions": [
      {
        "version": "< 0.12.6",
        "status": "affected"
      }
    ]
  }
]