{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T19:59:11.471","vulnerabilities":[{"cve":{"id":"CVE-2023-46132","sourceIdentifier":"security-advisories@github.com","published":"2023-11-14T21:15:11.003","lastModified":"2024-11-21T08:27:56.877","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called \"cross-linking\" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the peers parse the transactions. If a first peer receives a block B and a second peer receives a block identical to B but with the transactions being cross-linked, the second peer will parse transactions in a different way and thus its world state will deviate from the first peer. Orderers or peers cannot detect that a block has its transactions cross-linked, because there is a vulnerability in the way Fabric hashes the transactions of blocks. It simply and naively concatenates them, which is insecure and lets an adversary craft a \"cross-linked block\" (block with cross-linked transactions) which alters the way peers process transactions. For example, it is possible to select a transaction and manipulate a peer to completely avoid processing it, without changing the computed hash of the block. Additional validations have been added in v2.2.14 and v2.5.5 to detect potential cross-linking issues before processing blocks. Users are advised to upgrade. There are no known workarounds for this vulnerability."},{"lang":"es","value":"Hyperledger Fabric es un framework de contabilidad distribuido con permisos de código abierto. La combinación de dos moléculas entre sí, lo que se denomina \"cross-linking\", da como resultado una molécula con una fórmula química que está compuesta por todos los átomos de las dos moléculas originales. En Fabric, se puede tomar un bloque de transacciones y vincular las transacciones de una manera que altere la forma en que los pares analizan las transacciones. Si un primer par recibe un bloque B y un segundo par recibe un bloque idéntico a B pero con las transacciones cross-linked, el segundo par analizará las transacciones de una manera diferente y, por lo tanto, su estado mundial se desviará del primer par. Los ordenantes o pares no pueden detectar que un bloque tiene sus transacciones cross-linked, porque existe una vulnerabilidad en la forma en que Fabric procesa las transacciones de los bloques. Los concatena de manera simple e ingenua, lo cual es inseguro y permite que un adversario cree un \"cross-linked block\" (bloque con transacciones entrecruzadas) que altera la forma en que los pares procesan las transacciones. Por ejemplo, es posible seleccionar una transacción y manipular un par para evitar por completo procesarla, sin cambiar el hash calculado del bloque. Se agregaron validaciones adicionales en v2.2.14 y v2.5.5 para detectar posibles problemas de cross-linking antes de procesar bloques. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-362"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hyperledger:fabric:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"2.2.14","matchCriteriaId":"A1424E57-3AD8-488F-B35C-EF4A020804DE"},{"vulnerable":true,"criteria":"cpe:2.3:a:hyperledger:fabric:*:*:*:*:*:*:*:*","versionStartIncluding":"2.3.0","versionEndExcluding":"2.5.5","matchCriteriaId":"5595B581-80B8-4797-9C3C-73D57A0DF6ED"}]}]}],"references":[{"url":"https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69m","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}