References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, two peer-facing consensus request handlers assume that the history index is always available and call blockchain.history_store.history_index().unwrap() directly. That assumption is false by construction. HistoryStoreProxy::history_index() explicitly returns None for the valid HistoryStoreProxy::WithoutIndex state. when a full node is syncing or otherwise running without the history index, a remote peer can send RequestTransactionsProof or RequestTransactionReceiptsByAddress and trigger an Option::unwrap() panic on the request path. This issue has been patched in version 1.3.0.

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-252

https://github.com/nimiq/core-rs-albatross/commit/0e5c90a6c75b722f3d6091769776a4040e694dba

https://github.com/nimiq/core-rs-albatross/pull/3667

https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0

https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-xr78-2jhh-9wf9