Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-p7mv-53f2-4cwj #3259

Open
GoVulnBot opened this issue Nov 6, 2024 · 1 comment

Comments

@GoVulnBot
Copy link

Advisory GHSA-p7mv-53f2-4cwj references a vulnerability in the following Go modules:

Module
github.com/cometbft/cometbft

Description:
Name: ASA-2024-011: Vote Extensions: Panic when receiving a Pre-commit with an invalid data
Component: CometBFT
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: >= 0.38.x, unreleased v1.x and main development branches
Affected users: Chain Builders + Maintainers, Validators

Impact

A CometBFT node running in a network with [vote extensions][abci-spec] enabled could produce an invalid Vote message and send it to its peers. The invalid field of the ...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cometbft/cometbft
      versions:
        - introduced: 0.38.0
        - fixed: 0.38.15
      vulnerable_at: 0.38.14
summary: 'CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data in github.com/cometbft/cometbft'
ghsas:
    - GHSA-p7mv-53f2-4cwj
references:
    - advisory: https://github.com/advisories/GHSA-p7mv-53f2-4cwj
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj
    - web: https://docs.cometbft.com/v0.38/spec/abci/abci++_basic_concepts
    - web: https://github.com/cometbft/cometbft/releases/tag/v0.38.15
source:
    id: GHSA-p7mv-53f2-4cwj
    created: 2024-11-06T16:01:33.37723525Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/626158 mentions this issue: data/reports: add 4 NEEDS_REVIEW reports

gopherbot pushed a commit that referenced this issue Nov 20, 2024
  - data/reports/GO-2024-3122.yaml
  - data/reports/GO-2024-3140.yaml
  - data/reports/GO-2024-3259.yaml
  - data/reports/GO-2024-3265.yaml

Updates #3122
Updates #3140
Updates #3259
Updates #3265

Change-Id: I3fb8a3af0ccd59ed8dd5d130889e10601c0a9472
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/626158
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants