Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xajZyLWZocmMtamo1cs4AAvUB

Remote denial of service in Hyperledger Fabric Gateway

Impact

If a gateway client application sends a malformed request to a gateway peer it may crash the peer node.
This fix checks for the malformed gateway request and returns an error to the gateway client.

Patches

Fixed in v2.4.6.

Workarounds

None, users must upgrade to v2.4.6.

References

https://github.com/hyperledger/fabric/releases/tag/v2.4.6

For more information

If you have any questions or comments about this advisory:

Open an issue in Fabric

Credits

Thank you to Haosheng Wang of OPPO ZIWU Security Lab for this disclosure.

Permalink: https://github.com/advisories/GHSA-qj6r-fhrc-jj5r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xajZyLWZocmMtamo1cs4AAvUB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago

CVSS Score: 7.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

EPSS Percentage: 0.00142
EPSS Percentile: 0.50523

Identifiers: GHSA-qj6r-fhrc-jj5r, CVE-2022-36023
References:

Repository: https://github.com/hyperledger/fabric
Blast Radius: 18.2

Affected Packages

go:github.com/hyperledger/fabric

Dependent packages: 322
Dependent repositories: 401
Downloads:
Affected Version Ranges: >= 2.4.0, < 2.4.6
Fixed in: 2.4.6
All affected versions:
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 2.0.0, 2.0.1, 2.1.0, 2.1.1