All the vulnerabilites related to multiversx - mx-chain-go
cve-2023-33964
Vulnerability from cvelistv5
Published
2023-05-31 17:07
Modified
2024-08-02 15:54
Severity ?
EPSS score ?
Summary
mx-chain-go does not treat invalid transaction with wrong username correctly
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2 | x_refsource_CONFIRM | |
| https://github.com/multiversx/mx-chain-go/commit/97295471465f4b5f79e51b32f8b7111f8d921606 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| multiversx | mx-chain-go |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2"
},
{
"name": "https://github.com/multiversx/mx-chain-go/commit/97295471465f4b5f79e51b32f8b7111f8d921606",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/multiversx/mx-chain-go/commit/97295471465f4b5f79e51b32f8b7111f8d921606"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mx-chain-go",
"vendor": "multiversx",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mx-chain-go is an implementation of the MultiversX blockchain protocol written in the Go language. Metachain cannot process a cross-shard miniblock. Prior to version 1.4.16, an invalid transaction with the wrong username on metachain is not treated correctly on the metachain transaction processor. This is strictly a processing issue that could have happened on MultiversX chain. If an error like this had occurred, the metachain would have stopped notarizing blocks from the shard chains. The resuming of notarization is possible only after applying a patched binary version. A patch in version 1.4.16 introduces `processIfTxErrorCrossShard` for the metachain transaction processor. There are no known workarounds for this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-31T17:07:21.667Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2"
},
{
"name": "https://github.com/multiversx/mx-chain-go/commit/97295471465f4b5f79e51b32f8b7111f8d921606",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/multiversx/mx-chain-go/commit/97295471465f4b5f79e51b32f8b7111f8d921606"
}
],
"source": {
"advisory": "GHSA-7xpv-4pm9-xch2",
"discovery": "UNKNOWN"
},
"title": "mx-chain-go does not treat invalid transaction with wrong username correctly"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33964",
"datePublished": "2023-05-31T17:07:21.667Z",
"dateReserved": "2023-05-24T13:46:35.953Z",
"dateUpdated": "2024-08-02T15:54:14.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-34458
Vulnerability from cvelistv5
Published
2023-07-13 18:45
Modified
2024-10-22 16:08
Severity ?
EPSS score ?
Summary
mx-chain-go's relayed transactions always increment nonce
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| multiversx | mx-chain-go |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.008Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp"
},
{
"name": "https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43"
},
{
"name": "https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14"
},
{
"name": "https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34458",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T16:07:41.496523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T16:08:19.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mx-chain-go",
"vendor": "multiversx",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mx-chain-go is the official implementation of the MultiversX blockchain protocol, written in golang. When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction\u0027s sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag `RelayedNonceFixEnableEpoch` was needed. This was a strict processing issue while validating blocks on a chain. This vulnerability has been patched in version 1.4.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T18:45:03.499Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp"
},
{
"name": "https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43"
},
{
"name": "https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14"
},
{
"name": "https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17"
}
],
"source": {
"advisory": "GHSA-j494-7x2v-vvvp",
"discovery": "UNKNOWN"
},
"title": "mx-chain-go\u0027s relayed transactions always increment nonce"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34458",
"datePublished": "2023-07-13T18:45:03.499Z",
"dateReserved": "2023-06-06T16:16:53.559Z",
"dateUpdated": "2024-10-22T16:08:19.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}