{
  "schema_version": "1.4.0",
  "id": "GHSA-r66w-gh88-5cgc",
  "modified": "2022-05-24T16:55:55Z",
  "published": "2022-05-24T16:55:55Z",
  "aliases": [
    "CVE-2019-16214"
  ],
  "details": "Libra Core before 2019-09-03 has an erroneous regular expression for inline comments, which makes it easier for attackers to interfere with code auditing by using a nonstandard line-break character for a comment. For example, a Move module author can enter the // sequence (which introduces a single-line comment), followed by very brief comment text, the \\r character, and code that has security-critical functionality. In many popular environments, this code is displayed on a separate line, and thus a reader may infer that the code is executed. However, the code is NOT executed, because language/compiler/ir_to_bytecode/src/parser.rs allows the comment to continue after the \\r character.",
  "severity": [],
  "affected": [],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16214"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libra/libra/commit/7efb0221989f17fdf7f8486730898ed947a1e19e"
    },
    {
      "type": "WEB",
      "url": "https://blog.openzeppelin.com/libra-vulnerability-release"
    },
    {
      "type": "WEB",
      "url": "https://blog.openzeppelin.com/libra-vulnerability-summary"
    }
  ],
  "database_specific": {
    "cwe_ids": [],
    "severity": "LOW",
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-11T04:15:00Z"
  }
}