Address Derivation Vulnerability in Ledger Bitcoin App
CVE-2023-7346
4.1MEDIUM
What is CVE-2023-7346?
The Ledger Bitcoin app versions 2.1.0 and 2.1.1 are susceptible to an address derivation flaw that can lead to the display of incorrect Bitcoin addresses. This occurs due to inadequate handling of miniscript policies featuring the 'a:' fragment. Malicious actors can create harmful miniscript policies to manipulate the device into generating and showing incorrect receiving addresses. This exploit could result in users inadvertently sending funds to unintended destinations, highlighting significant implications for Bitcoin transactions.
Affected Version(s)
Ledger Bitcoin app 2.1.0
Ledger Bitcoin app 2.1.1
Ledger Bitcoin app 2.1.2
References
CVSS V4
Score:
4.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Physical
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Kevin Loaec
Antoine Poinsot
VulnCheck