8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.6%
Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule and can serve as an attack vector where Nodes are rewarded for holding their PoST data for less than one epoch but still being eligible for rewards.
n/a
Spacemesh protocol whitepaper: https://spacemesh.io/blog/spacemesh-white-paper-1/, specifically sections 4.4.2 (“ATX Contents”) and 4.4.3 (“ATX validity”)
CPE | Name | Operator | Version |
---|---|---|---|
github.com/spacemeshos/api | lt | 1.37.1 | |
github.com/spacemeshos/go-spacemesh | lt | 1.5.2-hotfix1 |
github.com/advisories/GHSA-jcqq-g64v-gcm7
github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e
github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87
github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7
nvd.nist.gov/vuln/detail/CVE-2024-34360
pkg.go.dev/vuln/GO-2024-2831
spacemesh.io/blog/spacemesh-white-paper-1
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.6%