CVE-2024-34360
ATX protocol validation problem in github.com/spacemeshos/go-spacemesh
8.2
HIGH
CVSS 3.1
EPSS 0.09%
Description
Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule.
How to fix CVE-2024-34360
To remediate CVE-2024-34360, upgrade the affected package to a fixed version below.
- —upgrade to 1.37.1 or later
- —upgrade to 1.37.1 or later
- —upgrade to 1.5.2-hotfix1 or later
- —upgrade to 1.5.2-hotfix1 or later
Is CVE-2024-34360 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.37.1
- from 0, < 1.37.1
- from 0, < 1.5.2-hotfix1
- from 0, < 1.5.2-hotfix1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |