GHSA-qj6r-fhrc-jj5r: Remote denial of service in Hyperledger Fabric Gateway

Package

gomod github.com/hyperledger/fabric (Go)

Affected versions

>= 2.4.0, < 2.4.6

Patched versions

2.4.6

Description

Impact

If a gateway client application sends a malformed request to a gateway peer it may crash the peer node.
This fix checks for the malformed gateway request and returns an error to the gateway client.

Patches

Fixed in v2.4.6.

Workarounds

None, users must upgrade to v2.4.6.

References

https://github.com/hyperledger/fabric/releases/tag/v2.4.6

For more information

If you have any questions or comments about this advisory:

• Open an issue in Fabric

Credits

Thank you to Haosheng Wang of OPPO ZIWU Security Lab for this disclosure.

References

• GHSA-qj6r-fhrc-jj5r
• https://nvd.nist.gov/vuln/detail/CVE-2022-36023
• https://github.com/hyperledger/fabric/releases/tag/v2.4.6

denyeart published the maintainer security advisory

Aug 16, 2022

Severity

High

7.0

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Weaknesses

CWE-20

CVE ID

CVE-2022-36023

GHSA ID

GHSA-qj6r-fhrc-jj5r

Source code

hyperledger/fabric

Credits

• fatal0

Checking history

See something to contribute? Suggest improvements for this vulnerability.