CVE-2023-38698 — Integer Overflow or Wraparound in Ethereum Name Service

CWE-190 — Integer Overflow or Wraparound4 documents4 sources

Severity

6.5MEDIUMNVD

CNA4.9

EPSS

0.1%

top 68.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ens.domains Ethereum Name Service Ensdomains Ens-contracts

Timeline

PublishedAug 4

Description

Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in th…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDens.domains/ethereum_name_service< 0.0.22

▶npmensdomains/ens-contracts< 0.0.22

▶CVEListV5ensdomains/ens-contracts0.0.21

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

.eth registrar controller can shorten the duration of registered names↗2023-08-04

▶

GHSA

.eth registrar controller can shorten the duration of registered names↗2023-08-01

▶

OSV

.eth registrar controller can shorten the duration of registered names↗2023-08-01

▶