CVE-2020-12119
HIGHLedger Live < 2.7.0 - Insufficient Verification of Data Authenticity in Bitcoin RBF Handling
Title source: llmDescription
Ledger Live before 2.7.0 does not handle Bitcoin's Replace-By-Fee (RBF). It increases the user's balance with the value of an unconfirmed transaction as soon as it is received (before the transaction is confirmed) and does not decrease the balance when it is canceled. As a result, users are exposed to basic double spending attacks, amplified double spending attacks, and DoS attacks without user consent.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://donjon.ledger.com/lsb/012/
Scores
CVSS v3
8.1
EPSS
0.0049
EPSS Percentile
38.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Details
CWE
CWE-345
Status
published
Products (1)
ledger/ledger_live
< 2.7.0
Published
Jul 02, 2020
Tracked Since
Feb 18, 2026