CVE-2022-36058 - OpenCVE

Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.34, anyone who uses elrond-go to process blocks (historical or actual) could encounter a `MultiESDTNFTTransfer` transaction like this: `MultiESDTNFTTransfer` with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elrond	Elrond Go

Configuration 1 [-]

cpe:2.3:a:elrond:elrond_go:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402
https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7
https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-06T20:10:09

Updated: 2024-08-03T09:52:00.545Z

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-36058

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-06T20:15:08.947

Modified: 2022-09-09T19:24:16.650

Link: CVE-2022-36058

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "elrond-go", "vendor": "ElrondNetwork", "versions": [{"status": "affected", "version": "<= 1.3.33"}]}], "descriptions": [{"lang": "en", "value": "Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.34, anyone who uses elrond-go to process blocks (historical or actual) could encounter a `MultiESDTNFTTransfer` transaction like this: `MultiESDTNFTTransfer` with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-06T20:30:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402"}], "source": {"advisory": "GHSA-qf7j-25g9-r63f", "discovery": "UNKNOWN"}, "title": "elrond-go MultiESDTNFTTransfer call on a SC address with missing function name", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36058", "STATE": "PUBLIC", "TITLE": "elrond-go MultiESDTNFTTransfer call on a SC address with missing function name"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "elrond-go", "version": {"version_data": [{"version_value": "<= 1.3.33"}]}}]}, "vendor_name": "ElrondNetwork"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.34, anyone who uses elrond-go to process blocks (historical or actual) could encounter a `MultiESDTNFTTransfer` transaction like this: `MultiESDTNFTTransfer` with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f", "refsource": "CONFIRM", "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f"}, {"name": "https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7", "refsource": "MISC", "url": "https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7"}, {"name": "https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402", "refsource": "MISC", "url": "https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402"}]}, "source": {"advisory": "GHSA-qf7j-25g9-r63f", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:52:00.545Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36058", "datePublished": "2022-09-06T20:10:09", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:52:00.545Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elrond:elrond_go:*:*:*:*:*:*:*:*", "matchCriteriaId": "1738D564-FE63-4750-BC8A-AF66BE9EF404", "versionEndExcluding": "1.3.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.34, anyone who uses elrond-go to process blocks (historical or actual) could encounter a `MultiESDTNFTTransfer` transaction like this: `MultiESDTNFTTransfer` with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds."}, {"lang": "es", "value": "Elrond go es la implementaci\u00f3n de go para el protocolo Elrond Network. En versiones anteriores a 1.3.44, cualquiera que usa elrond-go para procesar bloques (hist\u00f3ricos o reales) podr\u00eda encontrarse con una transacci\u00f3n \"MultiESDTNFTTransfer\" como esta \"MultiESDTNFTTransfer\" con un nombre de funci\u00f3n faltante. Las funcionalidades b\u00e1sicas como la mensajer\u00eda p2p, el almacenamiento, las peticiones a la API y dem\u00e1s no est\u00e1n afectadas. La versi\u00f3n 1.3.34 contiene una correcci\u00f3n para este problema. No se presentan mitigaciones conocidas."}], "id": "CVE-2022-36058", "lastModified": "2022-09-09T19:24:16.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-06T20:15:08.947", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}