How severe is CVE-2023-28431?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2023-28431?

This is classified as CWE-682, which is a common weakness in software security.

CVE-2023-28431 - HIGH Severity | CVSS 7.5

Vulnerability Description

Frontier is an Ethereum compatibility layer for Substrate. Frontier's `modexp` precompile uses `num-bigint` crate under the hood. In the implementation prior to pull request 1017, the cases for modulus being even and modulus being odd are treated separately. Odd modulus uses the fast Montgomery multiplication, and even modulus uses the slow plain power algorithm. This gas cost discrepancy was not accounted for in the `modexp` precompile, leading to possible denial of service attacks. No fixes for `num-bigint` are currently available, and thus this issue is fixed in the short term by raising the gas costs for even modulus, and in the long term fixing it in `num-bigint` or switching to another modexp implementation. The short-term fix for Frontier is deployed at pull request 1017. There are no known workarounds aside from applying the fix.

Related Vulnerabilities

CVE-2017-0819

HIGH

CVSS:7.5(High)

A vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63045918.

CWE-6822017

CVE-2018-14439

HIGH

CVSS:7.5(High)

espritblock eos4j, an unofficial SDK for EOS, through 2018-07-12 mishandles floating-point numbers with more than four digits after the decimal point, which might allow attackers to trigger currency t...

CWE-6822018

CVE-2018-18225

HIGH

CVSS:7.5(High)

In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was addressed in epan/dissectors/packet-coap.c by ensuring that the piv length is correctly computed.

CWE-6822018

CVE-2018-20999

HIGH

CVSS:7.5(High)

An issue was discovered in the orion crate before 0.11.2 for Rust. reset() calls cause incorrect results.

CWE-6822018

CVE-2019-17514

HIGH

CVSS:7.5(High)

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: ...

CWE-6822019

CVE-2020-26240

HIGH

CVSS:7.5(High)

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate P...

CWE-6822020