Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/ElrondNetwork/elrond-go: CVE-2022-36058 #970

Closed
GoVulnBot opened this issue Sep 6, 2022 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/ElrondNetwork/elrond-go: CVE-2022-36058 #970

GoVulnBot opened this issue Sep 6, 2022 · 4 comments
Assignees
@julieqiu
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

CVE-2022-36058 references github.com/ElrondNetwork/elrond-go, which may be a Go module.

Description:
Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.34, anyone who uses elrond-go to process blocks (historical or actual) could encounter a MultiESDTNFTTransfer transaction like this: MultiESDTNFTTransfer with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/ElrondNetwork/elrond-go
    packages:
      - package: elrond-go
description: |
    Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.34, anyone who uses elrond-go to process blocks (historical or actual) could encounter a `MultiESDTNFTTransfer` transaction like this: `MultiESDTNFTTransfer` with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds.
cves:
  - CVE-2022-36058
references:
  - web: https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f
  - fix: https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7
  - web: https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402
@julieqiu julieqiu added excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed NeedsTriage labels Sep 12, 2022
@julieqiu
Copy link
Member

Vulnerability in tool.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/430359 mentions this issue: data/excluded: add GO-2022-0970.yaml for CVE-2022-36058

@GoVulnBot GoVulnBot mentioned this issue Dec 28, 2022
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592774 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607229 mentions this issue: data/reports: unexclude 20 reports (27)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (27)
bcdceff 
  - data/reports/GO-2022-0922.yaml
  - data/reports/GO-2022-0923.yaml
  - data/reports/GO-2022-0924.yaml
  - data/reports/GO-2022-0925.yaml
  - data/reports/GO-2022-0928.yaml
  - data/reports/GO-2022-0929.yaml
  - data/reports/GO-2022-0933.yaml
  - data/reports/GO-2022-0936.yaml
  - data/reports/GO-2022-0937.yaml
  - data/reports/GO-2022-0938.yaml
  - data/reports/GO-2022-0939.yaml
  - data/reports/GO-2022-0953.yaml
  - data/reports/GO-2022-0959.yaml
  - data/reports/GO-2022-0960.yaml
  - data/reports/GO-2022-0964.yaml
  - data/reports/GO-2022-0970.yaml
  - data/reports/GO-2022-0971.yaml
  - data/reports/GO-2022-0981.yaml
  - data/reports/GO-2022-0982.yaml
  - data/reports/GO-2022-0983.yaml

Updates #922
Updates #923
Updates #924
Updates #925
Updates #928
Updates #929
Updates #933
Updates #936
Updates #937
Updates #938
Updates #939
Updates #953
Updates #959
Updates #960
Updates #964
Updates #970
Updates #971
Updates #981
Updates #982
Updates #983

Change-Id: I2c7e7a823ba3bf18dab1234a40c08ac4825903f6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607229
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@julieqiu julieqiu

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@julieqiu @tatianab @gopherbot @GoVulnBot