CVE-2022-35917

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-35917
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35917.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-35917
Aliases
Published
2022-08-01T21:10:11Z
Modified
2026-04-02T08:04:51.935621Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Weakness in Transfer Validation Logic in @solana/pay
Details

Solana Pay is a protocol and set of reference implementations that enable developers to incorporate decentralized payments into their apps and services. When a Solana Pay transaction is located using a reference key, it may be checked to represent a transfer of the desired amount to the recipient, using the supplied validateTransfer function. An edge case regarding this mechanism could cause the validation logic to validate multiple transfers. This issue has been patched as of version 0.2.1. Users of the Solana Pay SDK should upgrade to it. There are no known workarounds for this issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-670"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35917.json"
}
References

Affected packages

Git / github.com/solana-foundation/solana-pay

Affected ranges

Type
GIT
Repo
https://github.com/solana-foundation/solana-pay
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ac6ce0d0a81137700874a8bf5a7caac3be999fad
Type
GIT
Repo
https://github.com/solana-foundation/solana-pay
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ac6ce0d0a81137700874a8bf5a7caac3be999fad

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35917.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "0.2.1"
            }
        ]
    }
]