Current Description
In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023. NOTE: although this is a vulnerability from the perspective of the Bitcoin Knots project, some others consider it "not a bug."
Analysis Description
In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0 Severity and Vector Strings:
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
| URL | Source(s) | Tag(s) |
|---|---|---|
| https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures | CVE, MITRE | Third Party Advisory |
| https://github.com/bitcoin/bitcoin/blob/65c05db660b2ca1d0076b0d8573a6760b3228068/src/kernel/mempool_options.h#L46-L53 | CVE, MITRE | |
| https://github.com/bitcoin/bitcoin/pull/28408#issuecomment-1844981799 | CVE, MITRE | Issue Tracking |
| https://github.com/bitcoin/bitcoin/tags | CVE, MITRE | Product |
| https://github.com/bitcoinknots/bitcoin/blob/aed49ce8989334c364a219a6eb016a3897d4e3d7/doc/release-notes.md | CVE, MITRE | Release Notes |
| https://twitter.com/LukeDashjr/status/1732204937466032285 | CVE, MITRE | Issue Tracking Third Party Advisory |
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| NVD-CWE-noinfo | Insufficient Information |
NIST
|
Known Affected Software Configurations Switch to CPE 2.2
Change History
9 change records found show changes
CVE Modified by CVE 11/21/2024 3:36:57 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference |
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures |
|
| Added | Reference |
https://github.com/bitcoin/bitcoin/blob/65c05db660b2ca1d0076b0d8573a6760b3228068/src/kernel/mempool_options.h#L46-L53 |
|
| Added | Reference |
https://github.com/bitcoin/bitcoin/pull/28408#issuecomment-1844981799 |
|
| Added | Reference |
https://github.com/bitcoin/bitcoin/tags |
|
| Added | Reference |
https://github.com/bitcoinknots/bitcoin/blob/aed49ce8989334c364a219a6eb016a3897d4e3d7/doc/release-notes.md |
|
| Added | Reference |
https://twitter.com/LukeDashjr/status/1732204937466032285 |
CVE Modified by MITRE 8/02/2024 7:15:27 PM
| Action | Type | Old Value | New Value |
|---|
CVE Modified by MITRE 5/16/2024 10:32:02 PM
| Action | Type | Old Value | New Value |
|---|
CVE Modified by MITRE 5/14/2024 10:16:15 AM
| Action | Type | Old Value | New Value |
|---|
CVE Modified by MITRE 4/10/2024 9:22:40 PM
| Action | Type | Old Value | New Value |
|---|
CVE Modified by MITRE 3/20/2024 10:49:58 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Tag |
MITRE disputed |
CVE Modified by MITRE 1/04/2024 12:15:08 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Changed | Description |
In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023. |
In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023. NOTE: although this is a vulnerability from the perspective of the Bitcoin Knots project, some others consider it "not a bug." |
| Added | Reference |
MITRE https://github.com/bitcoin/bitcoin/blob/65c05db660b2ca1d0076b0d8573a6760b3228068/src/kernel/mempool_options.h#L46-L53 [No types assigned] |
Initial Analysis by NIST 12/11/2023 12:50:29 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 |
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| Added | CWE |
NIST NVD-CWE-noinfo |
|
| Added | CPE Configuration |
OR
*cpe:2.3:a:bitcoin:bitcoin_core:*:*:*:*:*:*:*:* versions from (including) 0.9 up to (including) 26.0
*cpe:2.3:a:bitcoinknots:bitcoin_knots:*:*:*:*:*:*:*:* versions from (including) 0.9 up to (excluding) 25.1
|
|
| Changed | Reference Type |
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures No Types Assigned |
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures Third Party Advisory |
| Changed | Reference Type |
https://github.com/bitcoin/bitcoin/pull/28408#issuecomment-1844981799 No Types Assigned |
https://github.com/bitcoin/bitcoin/pull/28408#issuecomment-1844981799 Issue Tracking |
| Changed | Reference Type |
https://github.com/bitcoin/bitcoin/tags No Types Assigned |
https://github.com/bitcoin/bitcoin/tags Product |
| Changed | Reference Type |
https://github.com/bitcoinknots/bitcoin/blob/aed49ce8989334c364a219a6eb016a3897d4e3d7/doc/release-notes.md No Types Assigned |
https://github.com/bitcoinknots/bitcoin/blob/aed49ce8989334c364a219a6eb016a3897d4e3d7/doc/release-notes.md Release Notes |
| Changed | Reference Type |
https://twitter.com/LukeDashjr/status/1732204937466032285 No Types Assigned |
https://twitter.com/LukeDashjr/status/1732204937466032285 Issue Tracking, Third Party Advisory |
New CVE Received from MITRE 12/09/2023 2:15:07 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description |
In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023. |
|
| Added | Reference |
MITRE https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures [No types assigned] |
|
| Added | Reference |
MITRE https://github.com/bitcoin/bitcoin/pull/28408#issuecomment-1844981799 [No types assigned] |
|
| Added | Reference |
MITRE https://github.com/bitcoin/bitcoin/tags [No types assigned] |
|
| Added | Reference |
MITRE https://github.com/bitcoinknots/bitcoin/blob/aed49ce8989334c364a219a6eb016a3897d4e3d7/doc/release-notes.md [No types assigned] |
|
| Added | Reference |
MITRE https://twitter.com/LukeDashjr/status/1732204937466032285 [No types assigned] |