Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-r3r4-g7hq-pq4f #3443

Open
GoVulnBot opened this issue Feb 3, 2025 · 1 comment
Open

x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-r3r4-g7hq-pq4f #3443

GoVulnBot opened this issue Feb 3, 2025 · 1 comment
Assignees
@tatianab
Labels
high priority triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-r3r4-g7hq-pq4f references a vulnerability in the following Go modules:

Module
github.com/cometbft/cometbft

Description:
Name: ASA-2025-002: Malicious peer can stall network by disseminating seemingly valid block parts
Component: CometBFT
Criticality: High (Catastrophic Impact; Possible Likelihood per ACMv1.2)
Affected versions: <= v0.38.16, v1.0.0
Affected users: Validators, Full nodes, Users

Description

A bug was identified in the CometBFT validation of block part indices and the corresponding proof part indices that can lead to incorrect processing and dissemination of invalid parts, which in turn could lead to a ne...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cometbft/cometbft
      versions:
        - fixed: 0.38.17
        - introduced: 1.0.0-alpha.1
        - fixed: 1.0.1
      vulnerable_at: 1.0.0
summary: |-
    CometBFT allows a malicious peer to stall the network by disseminating seemingly
    valid block parts in github.com/cometbft/cometbft
ghsas:
    - GHSA-r3r4-g7hq-pq4f
references:
    - advisory: https://github.com/advisories/GHSA-r3r4-g7hq-pq4f
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-r3r4-g7hq-pq4f
    - fix: https://github.com/cometbft/cometbft/commit/f943aabc7b9201ea1089ff3381479929435ce424
source:
    id: GHSA-r3r4-g7hq-pq4f
    created: 2025-02-03T17:01:20.460972012Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/646596 mentions this issue: data/reports: add 2 needs review reports

gopherbot pushed a commit that referenced this issue Feb 4, 2025
@tatianab @gopherbot
data/reports: add 2 needs review reports
1d9f679 
  - data/reports/GO-2025-3442.yaml
  - data/reports/GO-2025-3443.yaml

Updates #3442
Updates #3443

Change-Id: Ibe6157196ab26ebf3c22e512eb4cde28f9338546
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/646596
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Neal Patel <[email protected]>
@tatianab tatianab self-assigned this Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot