{"vulnerability": "CVE-2021-39137", "sightings": [{"uuid": "a5b6949b-2f0d-45f4-9217-7eff656d128b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39137", "type": "published-proof-of-concept", "source": "https://t.me/tech_b0lt_Genona/3007", "content": "> The first erroneous computation example is CVE-2021-39137 which is an interesting go-ethereum bug identified by Guido Vranken. The bug caused a netsplit in the Ethereum network and essentially results from the ability to have a mutable and non-mutable slice referencing the same chunk of memory. \n\nA deeper dive into CVE-2021-39137 \u2013 a Golang security bug that Rust would have prevented\nhttps://research.nccgroup.com/2022/02/07/a-deeper-dive-into-cve-2021-39137-a-golang-security-bug-that-rust-would-have-prevented/\n\n\u0418 \u0447\u0442\u043e \u0431 \u0434\u0432\u0430 \u0440\u0430\u0437\u0430 \u043d\u0435 \u0432\u0441\u0442\u0430\u0432\u0430\u0442\u044c. \u0418\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u044b\u0439 \u043f\u043e\u0441\u0442\n\n> On 2/2/2022, I reported a critical security issue to Optimism\u2014an \"L2 scaling solution\" for Ethereum\u2014that would allow an attacker to replicate money on any chain using their \"OVM 2.0\" fork of go-ethereum (which they call l2geth).\n\nAttacking an Ethereum L2 with Unbridled Optimism\nhttps://www.saurik.com/optimism.html", "creation_timestamp": "2022-02-11T08:04:20.000000Z"}, {"uuid": "63df59db-7464-438c-bb19-f2a207823836", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39137", "type": "seen", "source": "https://t.me/BleepingComputer/10387", "content": "Ethereum urges Go devs to fix severe chain-split vulnerability\n\nEthreum\u00a0project is\u00a0urging\u00a0developers to apply a hotfix to squash a high-severity vulnerability. The chain-split vulnerability tracked as CVE-2021-39137, impacts \"Geth,\" the\u00a0official\u00a0Golang implementation of the Ethereum protocol. [...]\n\nhttps://www.bleepingcomputer.com/news/security/ethereum-urges-go-devs-to-fix-severe-chain-split-vulnerability/", "creation_timestamp": "2021-08-25T16:41:02.000000Z"}, {"uuid": "45ed7bb3-161d-41f6-ad1f-f3cde4f0f801", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39137", "type": "seen", "source": "https://t.me/cibsecurity/27783", "content": "\u203c CVE-2021-39137 \u203c\n\ngo-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be disclosed at a later date. A patch is included in the upcoming `v1.10.8` release. No workaround are available.\n\n? Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-24T20:25:09.000000Z"}, {"uuid": "ff6b7fa0-6f36-4f30-af11-276858806548", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-39137", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/4203", "content": "#Analytics\nTop 10 Most Used Vulns of the Month (Aug 1-31)\nCVE-2021-1675 - Print Spooler EoP\nhttps://t.me/cybersecuritytechnologies/3723\nCVE-2021-31956 - Win NTFS EoP\nhttps://t.me/cybersecuritytechnologies/4110\nCVE-2021-36958 - Print Spooler RCE\nhttps://mobile.twitter.com/gentilkiwi/status/1416429860566847490?s=20\nCVE-2021-39137 - A consensus-vuln in go-eth\nCVE-2021-22937 - Pulse ConnSecure RCE\nhttps://t.me/cybersecuritytechnologies/4044\nCVE-2021-34473 - Pre-auth Path Confusion\nhttps://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell\nCVE-2021-21225 - Vuln in V8's Array.prototype.concat\nhttps://t.me/cybersecuritytechnologies/4090\nCVE-2021-20090 - Path traversal in Buffalo routers\nhttps://t.me/cybersecuritytechnologies/3986\nCVE-2021-26084 - Confluence Server Webwork OGNL Inj\nhttps://t.me/cybersecuritytechnologies/4202\nCVE-2021-3711 - Vulns in OpenSSL\nhttps://nakedsecurity.sophos.com/2021/08/27/big-bad-decryption-bug-in-openssl-but-no-cause-for-alarm", "creation_timestamp": "2021-09-02T11:05:07.000000Z"}]}