CVE-2020-5232Improper Authorization in ENS

CWE-285Improper Authorization5 documents4 sources
Severity
8.7HIGHNVD
EPSS
0.3%
top 48.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ensdomains ENSEnsdomains ENSEns.domains Ethereum Name Service
Timeline
PublishedJan 31
Latest updateMar 3

Description

A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:NExploitability: 2.3 | Impact: 5.8

Affected Packages3 packages

npmensdomains/ens< 0.4.0
CVEListV5ensdomains/ensdomains_ens< 0.4.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Malicious takeover of previously owned ENS names2020-01-30
GHSA
Malicious takeover of previously owned ENS names2020-01-30

🕵️Threat Intelligence

2
Trailofbits
Manticore discovers the ENS bug2020-03-03
Trailofbits
Manticore discovers the ENS bug2020-03-03