GHSA-95rx-m9m5-m94v

Source

https://github.com/advisories/GHSA-95rx-m9m5-m94v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-95rx-m9m5-m94v/GHSA-95rx-m9m5-m94v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-95rx-m9m5-m94v

Aliases

GO-2024-2638

Published

2024-03-12T15:50:23Z

Modified

2024-05-10T22:11:45.698698Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVSS Calculator

Summary

ASA-2024-006: ValidateVoteExtensions helper function in Cosmos SDK may allow incorrect voting power assumptions

Details

ASA-2024-006: ValidateVoteExtensions helper function may allow incorrect voting power assumptions

Component: Cosmos SDK Criticality: High Affected Versions: Cosmos SDK versions <= 0.50.4, on 0.50 branches Affected Users: Chain developers, Validator and Node operators Impact: Elevation of Privilege

Summary

The default ValidateVoteExtensions helper function infers total voting power based off of the injected VoteExtension, which are injected by the proposer. If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injected VoteExtension, which could have potentially unexpected or negative consequences on modified state. Additional validation on injected VoteExtension data was added to confirm voting power against the state machine.

Next Steps for Impacted Parties

If you are a chain developer on an affected version of the Cosmos SDK, it is advised to update to the latest available version of the Cosmos SDK for your project. Once a patched version is available, it is recommended that network operators upgrade.

A Github Security Advisory for this issue is available in the Cosmos-SDK repository. For more information about Cosmos SDK, see https://docs.cosmos.network/.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-12T15:50:23Z"
}

References

Affected packages

Go / github.com/cosmos/cosmos-sdk

Package

Name: github.com/cosmos/cosmos-sdk; View open source insights on deps.dev
Purl: pkg:golang/github.com/cosmos/cosmos-sdk

Affected ranges

Type: SEMVER
Events: Introduced

0.50.0

Fixed

0.50.5

Database specific

{
    "last_known_affected_version_range": "<= 0.50.4"
}