CVE-2022-32984 - Vulnerability disclosure affecting BTCPay Server V1.3.0 through V1.5.3. A remote attacker can obtain sensitive information when a Point of Sale app ( BTCPay Server component) is publicly exposed.
On May 28, 2022 Antoine Poinsot responsibly disclosed a vulnerability affecting BTCPay Server v1.3.0 to v1.5.3. On the same day we released v1.5.4 that included a patch for said vulnerability. We’ve awarded Antoine a 5000 USD reward due to the severity of the vulnerability. He had found an information leak in the Point of Sale (POS) component of BTCPay Server. If an external node was used, xpub (public key) and lightning credentials were possibly leaked. If you used an internal node, only xpub could have been possibly leaked. Due to the severity of this vulnerability, it’s the highest paid bounty so far. We strive to uphold the highest of standards and seek to keep rewarding those who help us in this mission.
- Oct 29, 2021 release 1.3.0 : Introduction of vulnerability.
- May 28, 2022 : Vulnerability was disclosed
- May 28, 2022 release 1.5.4 : Vulnerability patched.
- Jun 8, 2022 : Included patch notes on Security Vulnerability in release 1.6.0 urging people to upgrade.
- Jun 10, 2022 : CVE candidate reserved