x/vulndb: potential Go vuln in github.com/ElrondNetwork/elrond-go: CVE-2022-36061

[GoVulnBot]

CVE-2022-36061 references github.com/ElrondNetwork/elrond-go, which may be a Go module.

Description: Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.35, read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon the contract's B state, the state will be altered for contract B as if the call was not made in the read-only mode. This can lead to some effects not designed by the original smart contracts programmers. This issue was patched in version 1.3.35. There are no known workarounds.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-36061
• JSON: https://github.com/CVEProject/cvelist/tree/d91b9be09096868e0db0525ea8122b8012fa7d4a/2022/36xxx/CVE-2022-36061.json
• web: https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-mv8x-668m-53fg
• web: https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L452
• web: https://github.com/ElrondNetwork/elrond-go/releases/tag/v1.3.35
• Imported by: https://pkg.go.dev/github.com/ElrondNetwork/elrond-go?tab=importedby

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/ElrondNetwork/elrond-go
    packages:
      - package: elrond-go
description: "Elrond go is the go implementation for the Elrond Network protocol.
    In versions prior to 1.3.35, read only calls between contracts can generate smart
    contracts results. For example, if contract A calls in read only mode contract
    B and the called function will make changes upon the contract's B state, the state
    will be altered for contract B as if the call was not made in the read-only mode.
    This can lead to some effects not designed by the original smart contracts programmers.
    This issue was patched in version 1.3.35. There are no known workarounds. \n"
cves:
  - CVE-2022-36061
references:
  - web: https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-mv8x-668m-53fg
  - web: https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L452
  - web: https://github.com/ElrondNetwork/elrond-go/releases/tag/v1.3.35

[julieqiu]

Vulnerability in tool.

[gopherbot]

Change https://go.dev/cl/430360 mentions this issue: data/excluded: add GO-2022-0971.yaml for CVE-2022-36061

[gopherbot]

Change https://go.dev/cl/592774 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607229 mentions this issue: data/reports: unexclude 20 reports (27)