Описание
elrond-go MultiESDTNFTTransfer call on a SC address with missing function name
Impact
Anyone who uses elrond-go to process blocks (historical or actual) that contains a transaction like this: MultiESDTNFTTransfer@01@54444558544b4b5955532d323631626138@00@0793afc18c8da2ca@ (mind the missing function name after the last @)
Basic functionality like p2p messaging, storage, API requests and such are unaffected.
Patches
Patch v1.3.34 or higher
Workarounds
No workarounds
References
For future reference, one can observe the following integration test: [provide the link to the integration test]
For more information
If you have any questions or comments about this advisory:
- Open an issue in elrond-go (http://github.com/ElrondNetwork/elrond-go/issues)
Ссылки
- https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f
- https://nvd.nist.gov/vuln/detail/CVE-2022-36058
- https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7
- https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402
Пакеты
github.com/ElrondNetwork/elrond-go
<= 1.3.33
1.3.34
Связанные уязвимости
Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.34, anyone who uses elrond-go to process blocks (historical or actual) could encounter a `MultiESDTNFTTransfer` transaction like this: `MultiESDTNFTTransfer` with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds.