search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
554 stars 54 forks source link

x/vulndb: potential Go vuln in github.com/multiversx/mx-chain-go: GHSA-j494-7x2v-vvvp #1912

Closed GoVulnBot closed 1 year ago

GoVulnBot commented 1 year ago

In GitHub Security Advisory GHSA-j494-7x2v-vvvp, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/multiversx/mx-chain-go 1.4.17 < 1.4.17

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/multiversx/mx-chain-go
      versions:
        - fixed: 1.4.17
      vulnerable_at: 1.4.16
      packages:
        - package: github.com/multiversx/mx-chain-go
summary: mx-chain-go's relayed transactions always increment nonce
description: |-
    ### Impact When executing a relayed transaction, if the inner transaction
    failed, it would have increased the inner transaction's sender account nonce.
    This could have contributed to a limited DoS attack on a targeted account. The
    fix is a breaking change so a new flag `RelayedNonceFixEnableEpoch` was needed.
    This was a strict processing issue while validating blocks on a chain.

    ### Patches v1.4.17 and later versions contain the fix for this issue

    ### Workarounds there were no workarounds for this issue. The affected account
    could only wait for the DoS attack to finish as the attack was not free or to
    attempt to send transactions in a very fast manner so as to compete on the same
    nonce with the attacker.

    ### References For the future understanding of this issue, on v1.4.17 and
    onwards versions, we have this integration test that addresses the issue and
    tests the fix.
    https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
cves:
    - CVE-2023-34458
ghsas:
    - GHSA-j494-7x2v-vvvp
references:
    - advisory: https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp
    - fix: https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43
    - web: https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
    - web: https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17
    - advisory: https://github.com/advisories/GHSA-j494-7x2v-vvvp
gopherbot commented 1 year ago

Change https://go.dev/cl/513195 mentions this issue: data/excluded: batch add 26 excluded reports

gopherbot commented 1 month ago

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports