CVE-2023-33964

2023-05-3118:15:09

CWE-20

[email protected]

web.nvd.nist.gov

mx-chain-go

multiversx

blockchain protocol

go language

cve-2023-33964

metachain

cross-shard miniblock

notarization

security patch

transaction processor

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

33.0%

JSON

mx-chain-go is an implementation of the MultiversX blockchain protocol written in the Go language. Metachain cannot process a cross-shard miniblock. Prior to version 1.4.16, an invalid transaction with the wrong username on metachain is not treated correctly on the metachain transaction processor. This is strictly a processing issue that could have happened on MultiversX chain. If an error like this had occurred, the metachain would have stopped notarizing blocks from the shard chains. The resuming of notarization is possible only after applying a patched binary version. A patch in version 1.4.16 introduces processIfTxErrorCrossShard for the metachain transaction processor. There are no known workarounds for this issue.

Affected configurations

Vulners

NVD

Node

multiversxmx-chain-goRange<1.4.16

VendorProductVersionCPE
multiversxmx\-chain\-go*cpe:2.3:a:multiversx:mx\-chain\-go:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
multiversx	mx\-chain\-go	*	cpe:2.3:a:multiversx:mx\-chain\-go::::::::

CNA Affected

[
  {
    "vendor": "multiversx",
    "product": "mx-chain-go",
    "versions": [
      {
        "version": "< 1.4.16",
        "status": "affected"
      }
    ]
  }
]