Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32984: BTCPay Server CVE-2022-32984 Vulnerability disclosure affecting BTCPay Server V1.3.0 through V1.5.3

BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn’t using the internal lightning node, the credentials of a lightning node are exposed.

CVE
#vulnerability

CVE-2022-32984 - Vulnerability disclosure affecting BTCPay Server V1.3.0 through V1.5.3. A remote attacker can obtain sensitive information when a Point of Sale app ( BTCPay Server component) is publicly exposed.

On May 28, 2022 Antoine Poinsot responsibly disclosed a vulnerability affecting BTCPay Server v1.3.0 to v1.5.3. On the same day we released v1.5.4 that included a patch for said vulnerability. We’ve awarded Antoine a 5000 USD reward due to the severity of the vulnerability. He had found an information leak in the Point of Sale (POS) component of BTCPay Server. If an external node was used, xpub (public key) and lightning credentials were possibly leaked. If you used an internal node, only xpub could have been possibly leaked. Due to the severity of this vulnerability, it’s the highest paid bounty so far. We strive to uphold the highest of standards and seek to keep rewarding those who help us in this mission.

# ⏱️ Timeline

  • Oct 29, 2021 release 1.3.0 : Introduction of vulnerability.
  • May 28, 2022 : Vulnerability was disclosed
  • May 28, 2022 release 1.5.4 : Vulnerability patched.
  • Jun 8, 2022 : Included patch notes on Security Vulnerability in release 1.6.0 urging people to upgrade.
  • Jun 10, 2022 : CVE candidate reserved

# CVE-2022-32984 (allows a remote attacker to obtain sensitive information if a publicly exposed POS app is available)

A malicious party could obtain sensitive information about publicly exposed Point Of Sale (POS) apps. This was possible through BTCPay Server version 1.3.0 to 1.5.3.

  • Details: To exploit this vulnerability, the attacker would look at the HTML Source of the publicly exposed POS app. It was possible to gain remote access to sensitive store information through this method. Among this information was xpub and Lightning credentials, if connected to an external node; however, Lightning credentials could not be leaked, if connected to the internal node.
  • Users affected: Users running a publicly exposed Point Of Sale (POS) app.
  • Impact: Sensitive POS information including xpub and lightning network credentials could be obtained.
  • Severity: Critical
  • Affected versions: V1.3.0 to V1.5.3

# Summary

If your BTCPay Server instance is currently running between version 1.3.0 and 1.5.4 we highly recommend immediately upgrading to the latest version or a version beyond 1.5.4. You can find the version number of your BTCPay Server in the bottom right of the dashboard. To update, go to Server Settings > Maintenance tab and click Update or use the command btcpay-update.sh in the command line.

We want to thank Antoine for submitting this vulnerability and doing so in an orderly manner. We’ve agreed to disclose the amount awarded. As the open-source project BTCPay Server is, we value and want to always reward those who further improve the software and its security.

Thank you 💚

Last Updated: 1/31/2023, 12:39:55 AM

Related news

Wormable Flaw, 0days Lead Sept. 2022 Patch Tuesday

This month's Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in Microsoft Windows that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, Apple has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released iOS 16, which includes a nifty new privacy and security feature called "Lockdown Mode." And Adobe axed 63 vulnerabilities in a range of products.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907