Vulnerability Details CVE-2023-46132
Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the peers parse the transactions. If a first peer receives a block B and a second peer receives a block identical to B but with the transactions being cross-linked, the second peer will parse transactions in a different way and thus its world state will deviate from the first peer. Orderers or peers cannot detect that a block has its transactions cross-linked, because there is a vulnerability in the way Fabric hashes the transactions of blocks. It simply and naively concatenates them, which is insecure and lets an adversary craft a "cross-linked block" (block with cross-linked transactions) which alters the way peers process transactions. For example, it is possible to select a transaction and manipulate a peer to completely avoid processing it, without changing the computed hash of the block. Additional validations have been added in v2.2.14 and v2.5.5 to detect potential cross-linking issues before processing blocks. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 40.2%
CVSS Severity
CVSS v3 Score 7.1
References
Products affected by CVE-2023-46132
-
cpe:2.3:a:hyperledger:fabric:1.0.0
-
cpe:2.3:a:hyperledger:fabric:1.0.1
-
cpe:2.3:a:hyperledger:fabric:1.0.2
-
cpe:2.3:a:hyperledger:fabric:1.0.3
-
cpe:2.3:a:hyperledger:fabric:1.0.4
-
cpe:2.3:a:hyperledger:fabric:1.0.5
-
cpe:2.3:a:hyperledger:fabric:1.0.6
-
cpe:2.3:a:hyperledger:fabric:1.1.0
-
cpe:2.3:a:hyperledger:fabric:1.1.1
-
cpe:2.3:a:hyperledger:fabric:1.2.0
-
cpe:2.3:a:hyperledger:fabric:1.2.1
-
cpe:2.3:a:hyperledger:fabric:1.3.0
-
cpe:2.3:a:hyperledger:fabric:1.4.0
-
cpe:2.3:a:hyperledger:fabric:1.4.1
-
cpe:2.3:a:hyperledger:fabric:1.4.10
-
cpe:2.3:a:hyperledger:fabric:1.4.11
-
cpe:2.3:a:hyperledger:fabric:1.4.12
-
cpe:2.3:a:hyperledger:fabric:1.4.2
-
cpe:2.3:a:hyperledger:fabric:1.4.3
-
cpe:2.3:a:hyperledger:fabric:1.4.4
-
cpe:2.3:a:hyperledger:fabric:1.4.5
-
cpe:2.3:a:hyperledger:fabric:1.4.6
-
cpe:2.3:a:hyperledger:fabric:1.4.7
-
cpe:2.3:a:hyperledger:fabric:1.4.8
-
cpe:2.3:a:hyperledger:fabric:1.4.9
-
cpe:2.3:a:hyperledger:fabric:2.0.0
-
cpe:2.3:a:hyperledger:fabric:2.0.1
-
cpe:2.3:a:hyperledger:fabric:2.1.0
-
cpe:2.3:a:hyperledger:fabric:2.1.1
-
cpe:2.3:a:hyperledger:fabric:2.2.0
-
cpe:2.3:a:hyperledger:fabric:2.2.1
-
cpe:2.3:a:hyperledger:fabric:2.2.10
-
cpe:2.3:a:hyperledger:fabric:2.2.11
-
cpe:2.3:a:hyperledger:fabric:2.2.12
-
cpe:2.3:a:hyperledger:fabric:2.2.13
-
cpe:2.3:a:hyperledger:fabric:2.2.2
-
cpe:2.3:a:hyperledger:fabric:2.2.3
-
cpe:2.3:a:hyperledger:fabric:2.2.4
-
cpe:2.3:a:hyperledger:fabric:2.2.5
-
cpe:2.3:a:hyperledger:fabric:2.2.6
-
cpe:2.3:a:hyperledger:fabric:2.2.7
-
cpe:2.3:a:hyperledger:fabric:2.2.8
-
cpe:2.3:a:hyperledger:fabric:2.2.9
-
cpe:2.3:a:hyperledger:fabric:2.3.0
-
cpe:2.3:a:hyperledger:fabric:2.3.1
-
cpe:2.3:a:hyperledger:fabric:2.3.2
-
cpe:2.3:a:hyperledger:fabric:2.3.3
-
cpe:2.3:a:hyperledger:fabric:2.4.0
-
cpe:2.3:a:hyperledger:fabric:2.4.1
-
cpe:2.3:a:hyperledger:fabric:2.4.2
-
cpe:2.3:a:hyperledger:fabric:2.4.3
-
cpe:2.3:a:hyperledger:fabric:2.4.4
-
cpe:2.3:a:hyperledger:fabric:2.4.5
-
cpe:2.3:a:hyperledger:fabric:2.4.6
-
cpe:2.3:a:hyperledger:fabric:2.4.7
-
cpe:2.3:a:hyperledger:fabric:2.4.8
-
cpe:2.3:a:hyperledger:fabric:2.4.9
-
cpe:2.3:a:hyperledger:fabric:2.5.0
-
cpe:2.3:a:hyperledger:fabric:2.5.1
-
cpe:2.3:a:hyperledger:fabric:2.5.2
-
cpe:2.3:a:hyperledger:fabric:2.5.3
-
cpe:2.3:a:hyperledger:fabric:2.5.4