Miggo Logo
Miggo Vulnerability Database
CVE-2022-47931

CVE-2022-47931: Collision of hash values in github.com/bnb-chain/tss-lib

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-47931
GHSA ID
GHSA-cvcx-g7wh-x8rf
EPSS Score
0.08725%
CWE
CWE-327
Published
12/23/2022
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/bnb-chain/tss-libgo< 1.3.6-0.20230324145555-bb6fb30bd3eb1.3.6-0.20230324145555-bb6fb30bd3eb

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from insecure input concatenation in hash functions. The patch in commit 369ec50 modified both SHA512_256 and SHA512_256i to add binary-encoded length prefixes instead of string delimiters. The CVE description specifically mentions hash collisions related to these functions' input handling, and the GitHub advisory links to a fix that directly modifies these functions in hash.go. The medium.com analysis explicitly cites these functions as the source of CVE-2022-47931.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

IO *inN*t tss-li* ***or* *.*.* *llows * *ollision o* **s* v*lu*s.

Reasoning

T** vuln*r**ility st*mm** *rom ins**ur* input *on**t*n*tion in **s* *un*tions. T** p*t** in *ommit ******* mo*i*i** *ot* S*****_*** *n* S*****_***i to *** *in*ry-*n*o*** l*n*t* pr**ix*s inst*** o* strin* **limit*rs. T** *V* **s*ription sp**i*i**lly m