Bitcoin payment processor, BTCPay Server, has released a new version after Tesla’s security engineering team disclosed vulnerabilities. As such, any BTCPay Server user running a version older than v.126.96.36.199 is recommended to update your instance. Aaditya Purani, Sr. Security Engineer at Tesla said,
“Got assigned 6 CVEs for my findings on BtcpayServer. Highlights include a pre-auth remote code execution by combining two bugs (under certain circumstances). Thanks to BtcpayServer for their swift remediation actions. Please update your instances to v1.1.0.”
Tesla’s security engineering team first reported the vulnerabilities on April 19th, and after investigating and confirming them. BTCPay Server, along with Tesla’s team, patched the vulnerabilities. A newly patched version, v188.8.131.52, has been released today. The vulnerabilities included CVE-2021-29251, a critical one that allowed a malicious part to generate an email asking for a password reset to the victim. If the victim clicked, then the targeted account could be taken over. In CVE-2021-29246, BTCPay Server wasn’t properly validating file names in upload forms, which could result in uploaded files being saved in arbitrary locations on the server. CVE-2021-29250 was related to XSS vulnerability in the Point of Sale feature. Another CVE-2021-29245 allowed the generation of legacy API Keys which can be used to generate new invoices, and the selection of UTXOs in Payjoin were using a weak RNG. CVE-2021-29247 involved the lack of httponly, and CVE-2021-29248 allowed a remote attacker to obtain sensitive information. “We would like to thank Tesla for submitting the disclosure that led to these fixes and helping us with remediation,” stated BTCPay Server, which is now looking into the creation of a bug-bounty program as one way to improve the security process. Earlier this year, Tesla announced its billion-dollar worth bitcoin holdings and then later started accepting BTC as a payment. Instead of converting to cash, the company will be holding.