Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-qf7j-25g9-r63f: elrond-go MultiESDTNFTTransfer call on a SC address with missing function name

Impact

Anyone who uses elrond-go to process blocks (historical or actual) that contains a transaction like this: MultiESDTNFTTransfer@01@54444558544b4b5955532d323631626138@00@0793afc18c8da2ca@ (mind the missing function name after the last @) Basic functionality like p2p messaging, storage, API requests and such are unaffected.

Patches

Patch v1.3.34 or higher

Workarounds

No workarounds

References

For future reference, one can observe the following integration test: [provide the link to the integration test]

For more information

If you have any questions or comments about this advisory:

  • Open an issue in elrond-go (http://github.com/ElrondNetwork/elrond-go/issues)
ghsa
Open in Source
#vulnerability#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-36058

elrond-go MultiESDTNFTTransfer call on a SC address with missing function name

Critical severity GitHub Reviewed Published Sep 1, 2022 in ElrondNetwork/elrond-go • Updated Sep 1, 2022

Vulnerability details Dependabot alerts 0

Package

gomod github.com/ElrondNetwork/elrond-go (Go)

Affected versions

<= 1.3.33

Patched versions

1.3.34

Description

Impact

Anyone who uses elrond-go to process blocks (historical or actual) that contains a transaction like this: MultiESDTNFTTransfer@01@54444558544b4b5955532d323631626138@00@0793afc18c8da2ca@ (mind the missing function name after the last @)
Basic functionality like p2p messaging, storage, API requests and such are unaffected.

Patches

Patch v1.3.34 or higher

Workarounds

No workarounds

References

For future reference, one can observe the following integration test:
[provide the link to the integration test]

For more information

If you have any questions or comments about this advisory:

  • Open an issue in elrond-go (http://github.com/ElrondNetwork/elrond-go/issues)

References

  • GHSA-qf7j-25g9-r63f
  • ElrondNetwork/elrond-go@cb487fd
  • https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402

iulianpascalau published the maintainer security advisory

Aug 29, 2022

Severity

Critical

Weaknesses

No CWEs

CVE ID

CVE-2022-36058

GHSA ID

GHSA-qf7j-25g9-r63f

Source code

ElrondNetwork/elrond-go

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

CVE-2022-36058: Merge pull request from GHSA-qf7j-25g9-r63f · ElrondNetwork/elrond-go@cb487fd

Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.44, anyone who uses elrond-go to process blocks (historical or actual) could encounter a `MultiESDTNFTTransfer` transaction like this: `MultiESDTNFTTransfer` with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds.

ghsa: Latest News

GHSA-qg5g-gv98-5ffh: rustls network-reachable panic in `Acceptor::accept`
ghsa