CVE-2016-8889
medium
CVSS v3
6.2
CVSS v2
2.1
VIR risk
6.2
Description
In Bitcoin Knots v0.11.0.ljr20150711 through v0.13.0.knots20160814 (fixed in v0.13.1.knots20161027), the debug console stores sensitive information including private keys and the wallet passphrase in its persistent command history.
Predictions
Exploit likelihood
62%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://github.com/bitcoinknots/bitcoin/blob/v0.13.1.knots20161027/doc/release-notes.md
Vendor advisory: cve@mitre.org — https://bitcointalk.org/index.php?topic=1618462.0
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| bitcoin_knots_project | bitcoin_knots | 0.11.0 | |
| bitcoin_knots_project | bitcoin_knots | 0.11.1 | |
| bitcoin_knots_project | bitcoin_knots | 0.11.2 | |
| bitcoin_knots_project | bitcoin_knots | 0.12.0 | |
| bitcoin_knots_project | bitcoin_knots | 0.12.0.knots20160226 | |
| bitcoin_knots_project | bitcoin_knots | 0.12.1.knots20160629 | |
| bitcoin_knots_project | bitcoin_knots | 0.13.0.knots20160814 | |
References
- http://www.securityfocus.com/bid/94235
- https://bitcointalk.org/index.php?topic=1618462.0
- https://github.com/bitcoinknots/bitcoin/blob/v0.13.1.knots20161027/doc/release-notes.md
- http://www.securityfocus.com/bid/94235
- https://bitcointalk.org/index.php?topic=1618462.0
- https://github.com/bitcoinknots/bitcoin/blob/v0.13.1.knots20161027/doc/release-notes.md
CWEs
CWE-200 CWE-310
Verify integrity in audit chain (admin only). AS-IS.