CVE-2017-12842
moderate-risk
Published 2020-03-16
Bitcoin Core before 0.14 allows an attacker to create an ostensibly valid SPV proof for a payment to a victim who uses an SPV wallet, even if that payment did not actually occur. Completing the attack would cost more than a million dollars, and is relevant mainly only in situations where an autonomous system relies solely on an SPV proof for transactions of a greater dollar amount.
Do I need to act?
~
1.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (6)
Third Party Advisory
https://bitslog.wordpress.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tr...
Vendor Advisory
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
Third Party Advisory
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-February/016697.htm...
Third Party Advisory
https://bitslog.wordpress.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tr...
Vendor Advisory
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
Third Party Advisory
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-February/016697.htm...
36
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
5/34 · Minimal
Exposure
5/34 · Minimal