Impact
Anyone who uses elrond-go to process blocks (historical or actual) that contains a transaction like this: MultiESDTNFTTransfer@01@54444558544b4b5955532d323631626138@00@0793afc18c8da2ca@ (mind the missing function name after the last @)
Basic functionality like p2p messaging, storage, API requests and such are unaffected.
Patches
Patch v1.3.34 or higher
Workarounds
No workarounds
References
For future reference, one can observe the following integration test:
[provide the link to the integration test]
For more information
If you have any questions or comments about this advisory:
- Open an issue in elrond-go (http://github.com/ElrondNetwork/elrond-go/issues)
References
- https://github.com/ElrondNetwork/elrond-go/security/advisories/GHSA-qf7j-25g9-r63f
- https://github.com/ElrondNetwork/elrond-go/commit/cb487fd7be2a2077638eb34ae771a73630c870c7
- https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402
- https://nvd.nist.gov/vuln/detail/CVE-2022-36058
- https://github.com/advisories/GHSA-qf7j-25g9-r63f