CVE-2023-33964 mx-chain-go does not treat invalid transaction with wrong username correctly

2023-05-3117:07:21

CWE-20

GitHub_M

www.cve.org

cve-2023-33964

mx-chain-go

username validation

vulnerability

multiversx

blockchain protocol

go language

processing issue

notarization

patched binary

version 1.4.16

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

35.5%

JSON

mx-chain-go is an implementation of the MultiversX blockchain protocol written in the Go language. Metachain cannot process a cross-shard miniblock. Prior to version 1.4.16, an invalid transaction with the wrong username on metachain is not treated correctly on the metachain transaction processor. This is strictly a processing issue that could have happened on MultiversX chain. If an error like this had occurred, the metachain would have stopped notarizing blocks from the shard chains. The resuming of notarization is possible only after applying a patched binary version. A patch in version 1.4.16 introduces processIfTxErrorCrossShard for the metachain transaction processor. There are no known workarounds for this issue.

CNA Affected

[
  {
    "vendor": "multiversx",
    "product": "mx-chain-go",
    "versions": [
      {
        "version": "< 1.4.16",
        "status": "affected"
      }
    ]
  }
]