CVE-2018-19183

ethereumjs-vm 2.4.0 allows attackers to cause a denial of service (vm.runCode failure and REVERT) via a "code: Buffer.from(my_code, 'hex')" attribute. NOTE: the vendor disputes this because REVERT is a normal bytecode that can be triggered from high-level source code, leading to a normal programmatic execution result.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
VendorProductVersion
ethereumjs-vm_projectethereumjs-vm
2.4.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/ethereumjs/ethereumjs-monorepo/issues/386#issuecomment-439372074
https://github.com/ethereumjs/ethereumjs-monorepo/issues/395#issuecomment-472449204
https://github.com/ethereumjs/ethereumjs-vm/issues/386
https://github.com/ethereumjs/ethereumjs-monorepo/issues/386#issuecomment-439372074
https://github.com/ethereumjs/ethereumjs-monorepo/issues/395#issuecomment-472449204
https://github.com/ethereumjs/ethereumjs-vm/issues/386