Skip to main content

Libra Core CVE-2019-16214

MEDIUM
2019-09-11 cve@mitre.org
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 11, 2019 - 04:15 nvd
MEDIUM 5.7

DescriptionNVD

Libra Core before 2019-09-03 has an erroneous regular expression for inline comments, which makes it easier for attackers to interfere with code auditing by using a nonstandard line-break character for a comment. For example, a Move module author can enter the // sequence (which introduces a single-line comment), followed by very brief comment text, the \r character, and code that has security-critical functionality. In many popular environments, this code is displayed on a separate line, and thus a reader may infer that the code is executed. However, the code is NOT executed, because language/compiler/ir_to_bytecode/src/parser.rs allows the comment to continue after the \r character.

AnalysisAI

Libra Core before 2019-09-03 has an erroneous regular expression for inline comments, which makes it easier for attackers to interfere with code auditing by using a nonstandard line-break character. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

Libra Core before 2019-09-03 has an erroneous regular expression for inline comments, which makes it easier for attackers to interfere with code auditing by using a nonstandard line-break character for a comment. For example, a Move module author can enter the // sequence (which introduces a single-line comment), followed by very brief comment text, the \r character, and code that has security-critical functionality. In many popular environments, this code is displayed on a separate line, and thus a reader may infer that the code is executed. However, the code is NOT executed, because language/compiler/ir_to_bytecode/src/parser.rs allows the comment to continue after the \r character. Affected products include: Libra Libra Core. Version information: before 2019.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2019-16214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy