GitHub_MCVELIST:CVE-2023-34458CVE-2023-34458 mx-chain-go's relayed transactions always increment nonce
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
0.001 Low
EPSS
Percentile
26.4%
mx-chain-go is the official implementation of the MultiversX blockchain protocol, written in golang. When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction’s sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag RelayedNonceFixEnableEpoch was needed. This was a strict processing issue while validating blocks on a chain. This vulnerability has been patched in version 1.4.17.
CNA Affected
[
{
"vendor": "multiversx",
"product": "mx-chain-go",
"versions": [
{
"version": "< 1.4.17",
"status": "affected"
}
]
}
]References
github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43
github.com/multiversx/mx-chain-go/releases/tag/v1.4.17
github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp
Related
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
0.001 Low
EPSS
Percentile
26.4%