CVE-2020-6861
- Source
- https://cve.org/CVERecord?id=CVE-2020-6861
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-6861.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-6861
- Published
- 2020-05-06T14:15:11.083Z
- Modified
- 2026-04-11T13:53:25.804247Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A flawed protocol design in the Ledger Monero app before 1.5.1 for Ledger Nano and Ledger S devices allows a local attacker to extract the master spending key by sending crafted messages to this app selected on a PIN-entered Ledger connected to a host PC.
- References
Affected packages
Git / github.com/ledgerhq/app-monero
Affected versions
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.4.0-alpha1
1.4.0-alpha2
1.4.1
1.4.2
1.5.0
Other
Beta1
Beta2
Beta3
Beta4
Beta5
Database specific
vanir_signatures_modified
"2026-04-11T13:53:25Z"
vanir_signatures
[
{
"id": "CVE-2020-6861-1d54e770",
"target": {
"file": "src/monero_open_tx.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"101741386905829353390738821569549687821",
"229090205630727460719228199548747180290",
"22077540944309426620964614272921675852",
"285395983083939586261017318037235051181"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://github.com/ledgerhq/app-monero/commit/63e6831c8062da5c94b96ddca877b397464a582f",
"signature_version": "v1"
},
{
"id": "CVE-2020-6861-26b7a063",
"target": {
"file": "src/monero_open_tx.c",
"function": "monero_apdu_open_tx"
},
"deprecated": false,
"digest": {
"function_hash": "113563531168246943257164532100527837457",
"length": 246.0
},
"signature_type": "Function",
"source": "https://github.com/ledgerhq/app-monero/commit/63e6831c8062da5c94b96ddca877b397464a582f",
"signature_version": "v1"
},
{
"id": "CVE-2020-6861-67232e9b",
"target": {
"file": "src/monero_ux_nano.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"45368085189849241846371384634707785861",
"76074305106806271853893752226834569509",
"336782104617801452773831128018564400872",
"76446207293541156956980447980398319837",
"126859190297950555234972935200095419835",
"16471406417976635148268064813046687011"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://github.com/ledgerhq/app-monero/commit/63e6831c8062da5c94b96ddca877b397464a582f",
"signature_version": "v1"
},
{
"id": "CVE-2020-6861-bf4f7eb7",
"target": {
"file": "src/monero_ux_nanos.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"285884109718157205990155085200126671806",
"76074305106806271853893752226834569509",
"228578609159770551741535275556781084005",
"159287416375869182679674429704463080556",
"76446207293541156956980447980398319837",
"17034398394533678339953578823210019125",
"114072379502219694448221604967310847693"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://github.com/ledgerhq/app-monero/commit/63e6831c8062da5c94b96ddca877b397464a582f",
"signature_version": "v1"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-6861.json"