Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/CosmWasm/wasmvm/v2: GHSA-mx2j-7cmv-353c #3449

Open
GoVulnBot opened this issue Feb 4, 2025 · 1 comment
Open

x/vulndb: potential Go vuln in github.com/CosmWasm/wasmvm/v2: GHSA-mx2j-7cmv-353c #3449

GoVulnBot opened this issue Feb 4, 2025 · 1 comment
Assignees
@thatnealpatel
Labels
high priority triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-mx2j-7cmv-353c references a vulnerability in the following Go modules:

Module
github.com/CosmWasm/wasmvm
github.com/CosmWasm/wasmvm/v2

Description:

CWA-2025-002

Severity

Medium (Moderate + Likely)[^1]

Affected versions:

  • wasmvm >= 2.2.0, < 2.2.2
  • wasmvm >= 2.1.0, < 2.1.5
  • wasmvm >= 2.0.0, < 2.0.6
  • wasmvm < 1.5.8

Patched versions:

  • wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2

Description of the bug

The vulnerability can be used to slow down block production. The attack requires a malicious contract,
so permissioned chains are unlikely to be affected.

(We'll add more detail once chains had a chance to upgrade.)

Patch

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/CosmWasm/wasmvm
      versions:
        - fixed: 1.5.8
      vulnerable_at: 1.5.7
    - module: github.com/CosmWasm/wasmvm/v2
      versions:
        - introduced: 2.0.0
        - fixed: 2.0.6
        - introduced: 2.1.0
        - fixed: 2.1.5
        - introduced: 2.2.0
        - fixed: 2.2.2
      vulnerable_at: 2.2.1
summary: 'wasmvm: Malicious smart contract can slow down block production in github.com/CosmWasm/wasmvm'
ghsas:
    - GHSA-mx2j-7cmv-353c
references:
    - advisory: https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-mx2j-7cmv-353c
    - advisory: https://github.com/advisories/GHSA-mx2j-7cmv-353c
    - fix: https://github.com/CosmWasm/cosmwasm/commit/2b7f2faa57a1efc8207455c37f87f1eee6035a27
    - fix: https://github.com/CosmWasm/cosmwasm/commit/a5d62f65b5eb947ebe40e2085b1c48a9d0a244d0
    - fix: https://github.com/CosmWasm/cosmwasm/commit/d6143b0aff16a39bbea4be37597d8e9d9b213d3b
    - fix: https://github.com/CosmWasm/cosmwasm/commit/f0c04c03cbe2557634c1bbcdc2ce203fe7caca58
    - web: https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2025-002.md
source:
    id: GHSA-mx2j-7cmv-353c
    created: 2025-02-04T19:01:19.562507625Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/647056 mentions this issue: data/reports: add 2 needs review reports

gopherbot pushed a commit that referenced this issue Feb 5, 2025
@tatianab @gopherbot
data/reports: add 2 needs review reports
b99ba05 
  - data/reports/GO-2025-3448.yaml
  - data/reports/GO-2025-3449.yaml

Updates #3448
Updates #3449

Change-Id: Ia36b7c1627053f98f3c7503729d0a474c4f0f8e8
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/647056
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
@tatianab tatianab assigned tatianab and unassigned tatianab Feb 7, 2025
@tatianab tatianab self-assigned this Feb 7, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@thatnealpatel thatnealpatel

Labels
high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tatianab @gopherbot @thatnealpatel @GoVulnBot