CVE-2022-32984 - Vulnerability disclosure affecting BTCPay Server V1.3.0 through V1.5.3. A remote attacker can obtain sensitive information when a Point of Sale app ( BTCPay Server component) is publicly exposed.
On May 28, 2022 Antoine Poinsot responsibly disclosed a vulnerability affecting BTCPay Server v1.3.0 to v1.5.3. On the same day we released v1.5.4 that included a patch for said vulnerability. We’ve awarded Antoine a 5000 USD reward due to the severity of the vulnerability. He had found an information leak in the Point of Sale (POS) component of BTCPay Server. If an external node was used, xpub (public key) and lightning credentials were possibly leaked. If you used an internal node, only xpub could have been possibly leaked. Due to the severity of this vulnerability, it’s the highest paid bounty so far. We strive to uphold the highest of standards and seek to keep rewarding those who help us in this mission.
# ⏱️ Timeline
- Oct 29, 2021 release 1.3.0 : Introduction of vulnerability.
- May 28, 2022 : Vulnerability was disclosed
- May 28, 2022 release 1.5.4 : Vulnerability patched.
- Jun 8, 2022 : Included patch notes on Security Vulnerability in release 1.6.0 urging people to upgrade.
- Jun 10, 2022 : CVE candidate reserved
# CVE-2022-32984 (allows a remote attacker to obtain sensitive information if a publicly exposed POS app is available)
A malicious party could obtain sensitive information about publicly exposed Point Of Sale (POS) apps. This was possible through BTCPay Server version 1.3.0 to 1.5.3.
- Details: To exploit this vulnerability, the attacker would look at the HTML Source of the publicly exposed POS app. It was possible to gain remote access to sensitive store information through this method. Among this information was xpub and Lightning credentials, if connected to an external node; however, Lightning credentials could not be leaked, if connected to the internal node.
- Users affected: Users running a publicly exposed Point Of Sale (POS) app.
- Impact: Sensitive POS information including xpub and lightning network credentials could be obtained.
- Severity: Critical
- Affected versions: V1.3.0 to V1.5.3
# Summary
If your BTCPay Server instance is currently running between version 1.3.0 and 1.5.4 we highly recommend immediately upgrading to the latest version or a version beyond 1.5.4. You can find the version number of your BTCPay Server in the bottom right of the dashboard. To update, go to Server Settings > Maintenance tab and click Update or use the command btcpay-update.sh in the command line.
We want to thank Antoine for submitting this vulnerability and doing so in an orderly manner. We’ve agreed to disclose the amount awarded. As the open-source project BTCPay Server is, we value and want to always reward those who further improve the software and its security.
Thank you 💚