Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/multiversx/mx-chain-go: CVE-2023-34458 #1913

Closed
GoVulnBot opened this issue Jul 13, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/multiversx/mx-chain-go: CVE-2023-34458 #1913

GoVulnBot opened this issue Jul 13, 2023 · 1 comment

Comments

@GoVulnBot
Copy link

CVE-2023-34458 references github.com/multiversx/mx-chain-go, which may be a Go module.

Description:
mx-chain-go is the official implementation of the MultiversX blockchain protocol, written in golang. When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction's sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag RelayedNonceFixEnableEpoch was needed. This was a strict processing issue while validating blocks on a chain. This vulnerability has been patched in version 1.4.17.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/multiversx/mx-chain-go
      vulnerable_at: 1.5.10
      packages:
        - package: mx-chain-go
description: |-
    mx-chain-go is the official implementation of the MultiversX blockchain
    protocol, written in golang. When executing a relayed transaction, if the inner
    transaction failed, it would have increased the inner transaction's sender
    account nonce. This could have contributed to a limited DoS attack on a targeted
    account. The fix is a breaking change so a new flag `RelayedNonceFixEnableEpoch`
    was needed. This was a strict processing issue while validating blocks on a
    chain. This vulnerability has been patched in version 1.4.17.
cves:
    - CVE-2023-34458
references:
    - advisory: https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp
    - fix: https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43
    - web: https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
    - web: https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17
@neild
Copy link
Contributor

neild commented Jul 25, 2023

Duplicate of #1912

@neild neild marked this as a duplicate of #1912 Jul 25, 2023
@neild neild closed this as completed Jul 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neild @GoVulnBot