7.5

CVE-2022-36058

Exploit

elrond-go MultiESDTNFTTransfer call on a SC address with missing function name

Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.34, anyone who uses elrond-go to process blocks (historical or actual) could encounter a `MultiESDTNFTTransfer` transaction like this: `MultiESDTNFTTransfer` with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ElrondElrond Go Version < 1.3.34
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.95% 0.566
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402
Third Party Advisory
https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7
Patch
Third Party Advisory
https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f
Third Party Advisory
Exploit