Vulnerability-Lookup

CVE-2022-46173 (GCVE-0-2022-46173)

Vulnerability from cvelistv5 – Published: 2022-12-28 06:27 – Updated: 2025-04-11 15:46

Title

Elrond go Processing: fallback search of SCRs when not found in the main cache

Summary

Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit did not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn't found in the correct (expected) sharded-cache. There are no known workarounds at this time. This issue has been patched in version 1.3.50.

Severity ?

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

CWE

CWE-669 - Incorrect Resource Transfer Between Spheres

Assigner

GitHub_M

References

URL

Tags

	https://github.com/ElrondNetwork/elrond-go/securi…	x_refsource_CONFIRM
	https://github.com/ElrondNetwork/elrond-go/pull/4718	x_refsource_MISC
	https://github.com/ElrondNetwork/elrond-go/commit…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ElrondNetwork	elrond-go	Affected: < 1.3.50

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:24:03.318Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r"
          },
          {
            "name": "https://github.com/ElrondNetwork/elrond-go/pull/4718",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ElrondNetwork/elrond-go/pull/4718"
          },
          {
            "name": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-46173",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-11T15:45:52.484070Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-11T15:46:02.255Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "elrond-go",
          "vendor": "ElrondNetwork",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.50"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit did not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn\u0027t found in the correct (expected) sharded-cache. There are no known workarounds at this time. This issue has been patched in version 1.3.50.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669: Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-28T06:27:55.036Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r"
        },
        {
          "name": "https://github.com/ElrondNetwork/elrond-go/pull/4718",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ElrondNetwork/elrond-go/pull/4718"
        },
        {
          "name": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3"
        }
      ],
      "source": {
        "advisory": "GHSA-p228-4mrh-ww7r",
        "discovery": "UNKNOWN"
      },
      "title": "Elrond go Processing: fallback search of SCRs when not found in the main cache"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-46173",
    "datePublished": "2022-12-28T06:27:55.036Z",
    "dateReserved": "2022-11-28T17:27:19.998Z",
    "dateUpdated": "2025-04-11T15:46:02.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r\", \"name\": \"https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/ElrondNetwork/elrond-go/pull/4718\", \"name\": \"https://github.com/ElrondNetwork/elrond-go/pull/4718\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3\", \"name\": \"https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T14:24:03.318Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-46173\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-11T15:45:52.484070Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-11T15:45:57.428Z\"}}], \"cna\": {\"title\": \"Elrond go Processing: fallback search of SCRs when not found in the main cache\", \"source\": {\"advisory\": \"GHSA-p228-4mrh-ww7r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"ElrondNetwork\", \"product\": \"elrond-go\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.3.50\"}]}], \"references\": [{\"url\": \"https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r\", \"name\": \"https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/ElrondNetwork/elrond-go/pull/4718\", \"name\": \"https://github.com/ElrondNetwork/elrond-go/pull/4718\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3\", \"name\": \"https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit did not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn\u0027t found in the correct (expected) sharded-cache. There are no known workarounds at this time. This issue has been patched in version 1.3.50.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-669\", \"description\": \"CWE-669: Incorrect Resource Transfer Between Spheres\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-12-28T06:27:55.036Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-46173\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-11T15:46:02.255Z\", \"dateReserved\": \"2022-11-28T17:27:19.998Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-12-28T06:27:55.036Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-P228-4MRH-WW7R

Vulnerability from github – Published: 2022-12-30 16:57 – Updated: 2022-12-30 16:57

Summary

Elrond-GO processing: fallback search of SCRs when not found in the main cache

Details

Impact

Processing issue, nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit did not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn't found in the correct (expected) sharded-cache.

Patches

All versions >= v1.3.50 will contain this patch

Workarounds

For the moment there is no workaround

References

N/A

For more information

If you have any questions or comments about this advisory: * Open an issue in elrond-go main repo

Severity ?

7.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.48"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ElrondNetwork/elrond-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.50"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-669"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T16:57:11Z",
    "nvd_published_at": "2022-12-28T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nProcessing issue, nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit did not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn\u0027t found in the correct (expected) sharded-cache. \n\n### Patches\nAll versions \u003e= v1.3.50 will contain this patch\n\n### Workarounds\nFor the moment there is no workaround\n\n### References\nN/A\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [elrond-go main repo](https://github.com/ElrondNetwork/elrond-go)\n",
  "id": "GHSA-p228-4mrh-ww7r",
  "modified": "2022-12-30T16:57:11Z",
  "published": "2022-12-30T16:57:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46173"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ElrondNetwork/elrond-go/pull/4718"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ElrondNetwork/elrond-go"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Elrond-GO processing: fallback search of SCRs when not found in the main cache"
}

FKIE_CVE-2022-46173

Vulnerability from fkie_nvd - Published: 2022-12-28 07:15 - Updated: 2024-11-21 07:30

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/ElrondNetwork/elrond-go/pull/4718	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ElrondNetwork/elrond-go/pull/4718	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r	Third Party Advisory

Impacted products

	Vendor	Product	Version
	elrond	elrond_go	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:elrond:elrond_go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "27E29720-84DC-443C-9D47-3B5AE64B4804",
              "versionEndExcluding": "1.3.50",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit did not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn\u0027t found in the correct (expected) sharded-cache. There are no known workarounds at this time. This issue has been patched in version 1.3.50.\n"
    },
    {
      "lang": "es",
      "value": "Elrond-GO es una implementaci\u00f3n del protocolo Elrond Network. Las versiones anteriores a la 1.3.50 est\u00e1n sujetas a un problema de procesamiento en el que los nodos se ven afectados al intentar procesar una transacci\u00f3n retransmitida entre fragmentos con datos de transacci\u00f3n de implementaci\u00f3n de contrato inteligente. El problema era una mala correlaci\u00f3n entre los cach\u00e9s de transacciones y el componente de procesamiento. Si la transacci\u00f3n mencionada anteriormente se envi\u00f3 con m\u00e1s gas del requerido, el resultado del contrato inteligente (transacci\u00f3n SCR) que deber\u00eda haber devuelto el gas sobrante, se habr\u00eda agregado err\u00f3neamente a un cach\u00e9 que la unidad de procesamiento no consider\u00f3. El nodo dej\u00f3 de certificar ante notario los bloques de metacadena. En realidad, la soluci\u00f3n fue extender la b\u00fasqueda de transacciones SCR en todos los dem\u00e1s cach\u00e9s si no se encontraba en el cach\u00e9 fragmentado correcto (esperado). No se conocen workarounds en este momento. Este problema se solucion\u00f3 en la versi\u00f3n 1.3.50."
    }
  ],
  "id": "CVE-2022-46173",
  "lastModified": "2024-11-21T07:30:15.487",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-12-28T07:15:08.577",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ElrondNetwork/elrond-go/pull/4718"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ElrondNetwork/elrond-go/pull/4718"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-669"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GSD-2022-46173

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-46173

Aliases

CVE-2022-46173

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-46173",
    "id": "GSD-2022-46173"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-46173"
      ],
      "details": "Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit did not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn\u0027t found in the correct (expected) sharded-cache. There are no known workarounds at this time. This issue has been patched in version 1.3.50.",
      "id": "GSD-2022-46173",
      "modified": "2023-12-13T01:19:37.710025Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-46173",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "elrond-go",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.3.50"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ElrondNetwork"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit did not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn\u0027t found in the correct (expected) sharded-cache. There are no known workarounds at this time. This issue has been patched in version 1.3.50."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-669",
                "lang": "eng",
                "value": "CWE-669: Incorrect Resource Transfer Between Spheres"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r",
            "refsource": "MISC",
            "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r"
          },
          {
            "name": "https://github.com/ElrondNetwork/elrond-go/pull/4718",
            "refsource": "MISC",
            "url": "https://github.com/ElrondNetwork/elrond-go/pull/4718"
          },
          {
            "name": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3",
            "refsource": "MISC",
            "url": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-p228-4mrh-ww7r",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv1.3.50",
          "affected_versions": "All versions before 1.3.50",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-669",
            "CWE-937"
          ],
          "date": "2023-01-09",
          "description": "Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit does not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn\u0027t found in the correct (expected) sharded-cache. There are no known workarounds at this time. This issue has been patched in version 1.3.50.",
          "fixed_versions": [
            "v1.3.50"
          ],
          "identifier": "CVE-2022-46173",
          "identifiers": [
            "CVE-2022-46173",
            "GHSA-p228-4mrh-ww7r"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/ElrondNetwork/elrond-go",
          "pubdate": "2022-12-28",
          "solution": "Upgrade to version 1.3.50 or above.",
          "title": "Incorrect Resource Transfer Between Spheres",
          "urls": [
            "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-46173",
            "https://github.com/ElrondNetwork/elrond-go/pull/4718",
            "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3",
            "https://github.com/advisories/GHSA-p228-4mrh-ww7r"
          ],
          "uuid": "70fea220-a9f4-4127-aa06-d08aa8628476",
          "versions": [
            {
              "commit": {
                "sha": "6d6d498910f0dc9fe227a921de16f4441a6dbf36",
                "tags": [
                  "v1.3.50"
                ],
                "timestamp": "20221120213347"
              },
              "number": "v1.3.50"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:elrond:elrond_go:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.3.50",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-46173"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between the transaction caches and the processing component. If the above-mentioned transaction was sent with more gas than required, the smart contract result (SCR transaction) that should have returned the leftover gas, would have been wrongly added to a cache that the processing unit did not consider. The node stopped notarizing metachain blocks. The fix was actually to extend the SCR transaction search in all other caches if it wasn\u0027t found in the correct (expected) sharded-cache. There are no known workarounds at this time. This issue has been patched in version 1.3.50."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-669"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-p228-4mrh-ww7r"
            },
            {
              "name": "https://github.com/ElrondNetwork/elrond-go/pull/4718",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ElrondNetwork/elrond-go/pull/4718"
            },
            {
              "name": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ElrondNetwork/elrond-go/commit/39d7ddcb08bb34217dab6daef7cd9d287fb8cab3"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2023-01-09T14:17Z",
      "publishedDate": "2022-12-28T07:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-46173 (GCVE-0-2022-46173)

GHSA-P228-4MRH-WW7R

Impact

Patches

Workarounds

References

For more information

FKIE_CVE-2022-46173

GSD-2022-46173

Tags

Sightings

Nomenclature