CVE-2022-36061

Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.35, read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon the contract's B state, the state will be altered for contract B as if the call was not made in the read-only mode. This can lead to some effects not designed by the original smart contracts programmers. This issue was patched in version 1.3.35. There are no known workarounds.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ElrondNetwork/elrond-go/releases/tag/v1.3.35	Third Party Advisory
https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L452	Exploit Third Party Advisory
https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-mv8x-668m-53fg	Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:elrond:elrond_go:*:*:*:*:*:*:*:*

Information

Published : 2022-09-06 14:15

Updated : 2022-09-09 12:22

NVD link : CVE-2022-36061

Mitre link : CVE-2022-36061

JSON object : View

CWE

CWE-665

Improper Initialization

Advertisement

Products Affected

elrond

elrond_go

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/ElrondNetwork/elrond-go/releases/tag/v1.3.35", "name": "https://github.com/ElrondNetwork/elrond-go/releases/tag/v1.3.35", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L452", "name": "https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L452", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-mv8x-668m-53fg", "name": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-mv8x-668m-53fg", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.35, read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon the contract's B state, the state will be altered for contract B as if the call was not made in the read-only mode. This can lead to some effects not designed by the original smart contracts programmers. This issue was patched in version 1.3.35. There are no known workarounds."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-665"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-36061", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2022-09-06T21:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:elrond:elrond_go:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.3.35"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-09-09T19:22Z"}