8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39389

GHSA ID

GHSA-hc82-w9v8-83pr

EPSS Score

0.24014%

CWE

CWE-20

Published

11/18/2022

Updated

1/29/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39389

CVE-2022-39389: Witness Block Parsing DoS Vulnerability

Impact

All lnd nodes before version v0.15.4 are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected.

This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC.

Patches

A patch is available starting with lnd v0.15.4.

Workarounds

Nodes can use the lncli updatechanpolicy RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.

References

https://github.com/lightningnetwork/lnd/issues/7096

https://github.com/lightningnetwork/lnd/releases/tag/v0.15.4-beta

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-39389

CVE-2022-39389:

8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39389

GHSA ID

GHSA-hc82-w9v8-83pr

EPSS Score

0.24014%

CWE

CWE-20

Published

11/18/2022

Updated

1/29/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/lightningnetwork/lnd	go	< 0.15.4-beta	0.15.4-beta

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a dependency (btcd) used by lnd, specifically in its transaction parsing logic. The error 'MsgTx.BtcDecode: too many witness items to fit into max message size' indicates improper input validation in btcd's transaction decoding function. However, the affected package listed in the query is lnd itself, not btcd. The fix involved updating the btcd dependency to v0.23.3, but no vulnerable functions were explicitly identified in lnd's own codebase from the provided data. The vulnerability arises from lnd's reliance on a vulnerable version of btcd, not from lnd's internal functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-39389: Witness Block Parsing DoS Vulnerability

Impact

Patches

Workarounds

References

CVE-2022-39389:

8.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2022-39389: Witness Block Parsing DoS Vulnerability

Impact

Patches

Workarounds

References

8.2

8.2

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI