CVE-2023-33964

mx-chain-go is an implementation of the MultiversX blockchain protocol written in the Go language. Metachain cannot process a cross-shard miniblock. Prior to version 1.4.16, an invalid transaction with the wrong username on metachain is not treated correctly on the metachain transaction processor. This is strictly a processing issue that could have happened on MultiversX chain. If an error like this had occurred, the metachain would have stopped notarizing blocks from the shard chains. The resuming of notarization is possible only after applying a patched binary version. A patch in version 1.4.16 introduces `processIfTxErrorCrossShard` for the metachain transaction processor. There are no known workarounds for this issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/multiversx/mx-chain-go/commit/97295471465f4b5f79e51b32f8b7111f8d921606	Patch
https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:multiversx:mx-chain-go:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2023-05-31 18:15

Updated : 2023-06-07 14:32

NVD link : CVE-2023-33964

Mitre link : CVE-2023-33964

CVE.ORG link : CVE-2023-33964

JSON object : View

Products Affected

multiversx

mx-chain-go

CWE

NVD-CWE-noinfo CWE-20

Improper Input Validation

{"id": "CVE-2023-33964", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2023-05-31T18:15:09.437", "references": [{"url": "https://github.com/multiversx/mx-chain-go/commit/97295471465f4b5f79e51b32f8b7111f8d921606", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "mx-chain-go is an implementation of the MultiversX blockchain protocol written in the Go language. Metachain cannot process a cross-shard miniblock. Prior to version 1.4.16, an invalid transaction with the wrong username on metachain is not treated correctly on the metachain transaction processor. This is strictly a processing issue that could have happened on MultiversX chain. If an error like this had occurred, the metachain would have stopped notarizing blocks from the shard chains. The resuming of notarization is possible only after applying a patched binary version. A patch in version 1.4.16 introduces `processIfTxErrorCrossShard` for the metachain transaction processor. There are no known workarounds for this issue.\n"}], "lastModified": "2023-06-07T14:32:11.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:multiversx:mx-chain-go:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "97C7E7E5-D0DE-497B-BE07-19D3948CB95B", "versionEndExcluding": "1.4.16"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}