CVE-2023-7346

CVSS v3.1

4.0

Medium

Vector

AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, potentially leading to funds being sent to unintended addresses.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-682

Related Identifiers

CVE-2023-7346

Affected Products

Ledger Bitcoin App

CVE-2023-7346

Weakness Enumeration

Related Identifiers

Affected Products

References · 3