NVD Vulnerability Detail

CVE-2021-39193

Summary	Frontier is Substrate's Ethereum compatibility layer. Prior to commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26, a bug in `pallet-ethereum` can cause invalid transactions to be included in the Ethereum block state in `pallet-ethereum` due to not validating the input data size. Any invalid transactions included this way have no possibility to alter the internal Ethereum or Substrate state. The transaction will appear to have be included, but is of no effect as it is rejected by the EVM engine. The impact is further limited by Substrate extrinsic size constraints. A patch is available in commit number 0b962f218f0cdd796dadfe26c3f09e68f7861b26. There are no workarounds aside from applying the patch.
Publication Date	Sept. 4, 2021, 3:15 a.m.
Registration Date	Sept. 4, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 3:18 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:parity:frontier::::::::					2021-09-03

Related information, measures and tools

No	URL	タグ
1	https://github.com/paritytech/frontier/commit/0b962f218f0cdd796dadfe26c3f09e68f7861b26	Patch Third Party Advisory
2	https://github.com/paritytech/frontier/commit/0b962f218f0cdd796dadfe26c3f09e68f7861b26	Patch Third Party Advisory
3	https://github.com/paritytech/frontier/pull/465	Patch Third Party Advisory
4	https://github.com/paritytech/frontier/pull/465	Patch Third Party Advisory
5	https://github.com/paritytech/frontier/pull/465/commits/8a2b890a2fb477d5fedd0e4335b00623832849ae	Patch Third Party Advisory
6	https://github.com/paritytech/frontier/pull/465/commits/8a2b890a2fb477d5fedd0e4335b00623832849ae	Patch Third Party Advisory
7	https://github.com/paritytech/frontier/security/advisories/GHSA-hw4v-5x4h-c3xm	Patch Third Party Advisory
8	https://github.com/paritytech/frontier/security/advisories/GHSA-hw4v-5x4h-c3xm	Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-1284	入力で指定された数量の不適切な検証	https://cwe.mitre.org/data/definitions/1284.html

JVN Vulnerability Information

Frontier における入力確認に関する脆弱性

Title	Frontier における入力確認に関する脆弱性
Summary	Frontier には、入力確認に関する脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 1, 2021, midnight
Registration Date	July 27, 2022, 4:48 p.m.
Last Update	July 27, 2022, 4:48 p.m.

Affected System

Parity Technologies

Frontier

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-39193	https://www.cve.org/CVERecord?id=CVE-2021-39193
National Vulnerability Database (NVD)
2	CVE-2021-39193	https://nvd.nist.gov/vuln/detail/CVE-2021-39193

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
GitHub
1	Add transaction cost pre-validation (#465)	https://github.com/paritytech/frontier/commit/0b962f218f0cdd796dadfe26c3f09e68f7861b26
2	Transaction validity oversight in pallet-ethereum	https://github.com/paritytech/frontier/security/advisories/GHSA-hw4v-5x4h-c3xm
3	Validate transaction cost #465 (commits 8a2b890a2fb477d5fedd0e4335b00623832849ae)	https://github.com/paritytech/frontier/pull/465/commits/8a2b890a2fb477d5fedd0e4335b00623832849ae
4	Validate transaction cost #465 (pull 465)	https://github.com/paritytech/frontier/pull/465

Change Log

No	Changed Details	Date of change
1	[2022年07月01日] 掲載	July 1, 2022, 12:32 p.m.