Skip to content

x/vulndb: potential Go vuln in github.com/cometbft/cometbft/light: GHSA-g5xx-c4hv-9ccc #3112

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
GoVulnBot opened this issue Sep 3, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/cometbft/cometbft/light: GHSA-g5xx-c4hv-9ccc #3112

GoVulnBot opened this issue Sep 3, 2024 · 1 comment
Assignees
@tatianab
Labels
high priority triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-g5xx-c4hv-9ccc references a vulnerability in the following Go modules:

Module
github.com/cometbft/cometbft

Description:
Name: ASA-2024-009: State syncing validator from malicious node may lead to a chain split
Component: CometBFT
Criticality: Medium (ACMv1.2: I:Moderate; L: Possible)
Affected versions: >= 0.34.0, <= 0.34.33, >=0.37.0, <= 0.37.10, >= 0.38.0, <= 0.38.11

Summary

The state sync protocol retrieves a snapshot of the application and installs it in a fresh node. In order for this node to be ready to run consensus and block sync from the installed snapshot height, we also need to install a vali...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cometbft/cometbft
      versions:
        - fixed: 0.34.34
        - introduced: 0.37.0
        - fixed: 0.37.11
        - introduced: 0.38.0
        - fixed: 0.38.12
      non_go_versions:
        - introduced: 0.34.0
summary: CometBFT's state syncing validator from malicious node may lead to a chain split in github.com/cometbft/cometbft
ghsas:
    - GHSA-g5xx-c4hv-9ccc
references:
    - advisory: https://github.com/advisories/GHSA-g5xx-c4hv-9ccc
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-g5xx-c4hv-9ccc
    - fix: https://github.com/cometbft/cometbft/commit/3937e00a339ee6b861d75997b4f6c87d867b74f2
    - fix: https://github.com/cometbft/cometbft/commit/52c00a537f8f56ed94b4a5c8af6e3fecff468b55
notes:
    - fix: 'github.com/cometbft/cometbft: could not add vulnerable_at: module is not canonical at 1 version(s): 0.34.34 (canonical:github.com/tendermint/tendermint)'
source:
    id: GHSA-g5xx-c4hv-9ccc
    created: 2024-09-03T21:01:29.213306039Z
review_status: UNREVIEWED
@tatianab tatianab self-assigned this Sep 6, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/613258 mentions this issue: data/reports: add GO-2024-3112

@GoVulnBot GoVulnBot mentioned this issue Nov 6, 2024
Closed
This was referenced Feb 3, 2025
Closed
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tatianab tatianab

Labels
high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot