Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in cosmossdk.io/math: GHSA-7225-m954-23v7 #3279

Open
GoVulnBot opened this issue Nov 21, 2024 · 1 comment
Open

x/vulndb: potential Go vuln in cosmossdk.io/math: GHSA-7225-m954-23v7 #3279

GoVulnBot opened this issue Nov 21, 2024 · 1 comment
Labels
high priority triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-7225-m954-23v7 references a vulnerability in the following Go modules:

Module
cosmossdk.io/math

Description:
Name: ASA-2024-010: Mismatched bit-length in sdk.Int and sdk.Dec can lead to panic
Component: Cosmos SDK / Math
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: cosmossdk.io/math package versions <= math/v1.3.0
Affected users: Chain Builders + Maintainers, Validators

Impact

The bit-length in sdk.Int and sdk.Dec are not aligned, which may present a possible panic condition when interacting with Dec types in an Int context. This issue was ...

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: cosmossdk.io/math
      non_go_versions:
        - introduced: TODO (earliest fixed "1.4.0", vuln range "<= 1.3.0")
      vulnerable_at: 1.4.0
summary: |-
    ASA-2024-010: cosmossdk.io/math: Mismatched bit-length validation in sdk.Int and
    sdk.Dec can lead to panic
ghsas:
    - GHSA-7225-m954-23v7
references:
    - advisory: https://github.com/advisories/GHSA-7225-m954-23v7
    - advisory: https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-7225-m954-23v7
    - fix: https://github.com/cosmos/cosmos-sdk/commit/c6522a72a45c34897f9fc85d438c0b74d52f8862
source:
    id: GHSA-7225-m954-23v7
    created: 2024-11-21T15:01:34.312644476Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/630756 mentions this issue: data/reports: add 2 needs review reports

gopherbot pushed a commit that referenced this issue Nov 21, 2024
@tatianab @gopherbot
data/reports: add 2 needs review reports
bfd27ad 
  - data/reports/GO-2024-3279.yaml
  - data/reports/GO-2024-3282.yaml

Updates #3279
Updates #3282

Change-Id: I198fb77d1510d966d66fd34906f15ae24a1f2364
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/630756
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot