GHSA-j92c-mmf7-j5x5

Suggest an improvement
Source
https://github.com/advisories/GHSA-j92c-mmf7-j5x5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-j92c-mmf7-j5x5/GHSA-j92c-mmf7-j5x5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j92c-mmf7-j5x5
Published
2022-10-18T17:27:36Z
Modified
2022-10-18T17:27:36Z
Summary
Potential inter-blockchain communication (IBC) protocol compromise via "Dragonberry" vulnerability in cheqd
Details

Impact

This vulnerability affects IBC transfers due to a security vulnerability dubbed "Dragonberry" upstream in Cosmos SDK. The vulnerability could allow malicious attackers to compromise chain-to-chain IBC transfers.

There is no vulnerability in the DID/resource modules for cheqd-node.

Patches

Node operators are requested to upgrade to cheqd-node v0.6.9 as soon as possible. Installation instructions are in the release notes. Please do not install any beta/pre-release versions.

Workarounds

No. The patch takes effect when more than 2/3rds of the voting power of the cheqd network has upgraded to this patch.

An emergency hotfix was released previously under v0.6.8 but this is now deprecated since Cosmos SDK v0.45.9 officially fixes this upstream.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in cheqd-node repo * Email us at security-github@cheqd.io * Message us on our community Slack or Discord

References

Affected packages

Go / github.com/cheqd/cheqd-node

Package

Name
github.com/cheqd/cheqd-node
View open source insights on deps.dev
Purl
pkg:golang/github.com/cheqd/cheqd-node

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.6.9