7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
30.7%
Anyone who uses elrond-go to process blocks (historical or actual) that contains a transaction like this: MultiESDTNFTTransfer@01@54444558544b4b5955532d323631626138@00@0793afc18c8da2ca@
(mind the missing function name after the last @
)
Basic functionality like p2p messaging, storage, API requests and such are unaffected.
Patch v1.3.34 or higher
No workarounds
For future reference, one can observe the following integration test:
[provide the link to the integration test]
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/elrondnetwork/elrond-go | lt | 1.3.34 |
github.com/ElrondNetwork/elrond-go
github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402
github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7
github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f
nvd.nist.gov/vuln/detail/CVE-2022-36058