Vulnerability Description
Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Crypto | Cronos | < 0.6.5 |
| Crypto | Ethermint | < 0.7.3 |
| Crypto | Evmos | <= 0.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/crypto-org-chain/cronos/commit/150ef237b37ac28c8136e1c0f49493PatchThird Party Advisory
- https://github.com/crypto-org-chain/cronos/pull/270PatchThird Party Advisory
- https://github.com/crypto-org-chain/cronos/security/advisories/GHSA-f854-hpxv-cwThird Party Advisory
- https://github.com/crypto-org-chain/cronos/commit/150ef237b37ac28c8136e1c0f49493PatchThird Party Advisory
- https://github.com/crypto-org-chain/cronos/pull/270PatchThird Party Advisory
- https://github.com/crypto-org-chain/cronos/security/advisories/GHSA-f854-hpxv-cwThird Party Advisory
FAQ
What is CVE-2021-43839?
CVE-2021-43839 is a vulnerability with a CVSS score of 7.5 (HIGH). Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by s...
How severe is CVE-2021-43839?
CVE-2021-43839 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43839?
Check the references section above for vendor advisories and patch information. Affected products include: Crypto Cronos, Crypto Ethermint, Crypto Evmos.