Crosslinking transaction attack in hyperledger/fabric
CVE-2023-46132

7.1HIGH

Key Information:

Vendor: Hyperledger
Status: Fabric
Vendor: CVE Published:; 14 November 2023

🔔 Create Hyperledger Vulnerability Alert

What is CVE-2023-46132?

Hyperledger Fabric, an open source permissioned distributed ledger framework, has a vulnerability that allows for cross-linking of transactions within blocks. The simplistic method of hashing utilized by Fabric—concatenating transactions—enables adversaries to manipulate transaction parsing between peers without detection. This manipulation can result in one peer processing a block differently than another, leading to inconsistencies in the world state. Although recent updates in versions 2.2.14 and 2.5.5 have introduced measures to identify potential cross-linking issues, users must upgrade as there are no workarounds available for this vulnerability.

Affected Version(s)

fabric >= 1.0.0, < 2.2.14 < 1.0.0, 2.2.14

fabric >= 2.3.0, < 2.5.5 < 2.3.0, 2.5.5

References

https://github.com/hyperledger/fabric/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Oct 16, 2023

CVE-2023-46132 Data

JSON