CVE-2018-10769 - The transferProxy and approveProxy functions of a smart contract implementation for SmartMesh (SMT),

CVE-2018-10769

Summary

The transferProxy and approveProxy functions of a smart contract implementation for SmartMesh (SMT), an Ethereum ERC20 token, allow attackers to accomplish an unauthorized transfer of digital assets because replay attacks can occur with the same-named functions (with the same signatures) in other tokens: First (FST), GG Token (GG), M2C Mesh Network (MTC), M2C Mesh Network (mesh), and UG Token (UGT).

References

Vulnerable Configurations

cpe:2.3:a:smartmesh_project:smartmesh:-:*:*:*:*:*:*:*
cpe:2.3:a:smartmesh_project:smartmesh:-:*:*:*:*:*:*:*
cpe:2.3:a:ugtoken_project:ugtoken:-:*:*:*:*:*:*:*
cpe:2.3:a:ugtoken_project:ugtoken:-:*:*:*:*:*:*:*
cpe:2.3:a:gg_token_project:gg_token:-:*:*:*:*:*:*:*
cpe:2.3:a:gg_token_project:gg_token:-:*:*:*:*:*:*:*
cpe:2.3:a:first_project:first:-:*:*:*:*:*:*:*
cpe:2.3:a:first_project:first:-:*:*:*:*:*:*:*
cpe:2.3:a:mtc_project:mtc:-:*:*:*:*:*:*:*
cpe:2.3:a:mtc_project:mtc:-:*:*:*:*:*:*:*
cpe:2.3:a:mesh_project:mesh:-:*:*:*:*:*:*:*
cpe:2.3:a:mesh_project:mesh:-:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:P/A:N

refmap via4

misc	https://github.com/nkbai/defcon26/blob/master/docs/Replay%20Attacks%20on%20Ethereum%20Smart%20Contracts.md
mlist	[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204

Last major update

03-10-2019 - 00:03

Published

10-08-2018 - 15:29

Last modified

03-10-2019 - 00:03