GHSA-rg2q-2jh9-447q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rg2q-2jh9-447q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-rg2q-2jh9-447q/GHSA-rg2q-2jh9-447q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rg2q-2jh9-447q
- Aliases
- Published
- 2024-08-08T16:30:50Z
- Modified
- 2024-08-08T17:03:07Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Gas mispricing in cosmwasm-vm
- Details
-
Component: wasmvm Criticality: Medium (ACMv1: I:Moderate; L:Likely) Patched versions: wasmvm 1.5.4, 2.0.3, 2.1.2
Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the gas target we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain.
See CWA-2024-004 for more details.
- Database specific
{ "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-920" ], "github_reviewed_at": "2024-08-08T16:30:50Z" }- References
-
- https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-rg2q-2jh9-447q
- https://github.com/CosmWasm/cosmwasm/commit/5bef1c588933bd60a04bb70099150cf84b69e144
- https://github.com/CosmWasm/cosmwasm/commit/9b4d6d03772b75d500a7d3c972d0d8ba6d085c06
- https://github.com/CosmWasm/cosmwasm/commit/c1313afeb261e17b1c8cf6a1eacee1da0dac42ae
- https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-004.md
- https://github.com/CosmWasm/wasmvm
- https://rustsec.org/advisories/RUSTSEC-2024-0361.html
Affected packages
crates.io
cosmwasm-vm
Package
- Name
- cosmwasm-vm
- View open source insights on deps.dev
- Purl
- pkg:cargo/cosmwasm-vm
cosmwasm-vm
Package
- Name
- cosmwasm-vm
- View open source insights on deps.dev
- Purl
- pkg:cargo/cosmwasm-vm
cosmwasm-vm
Package
- Name
- cosmwasm-vm
- View open source insights on deps.dev
- Purl
- pkg:cargo/cosmwasm-vm
Go
github.com/CosmWasm/wasmvm/v2
Package
- Name
- github.com/CosmWasm/wasmvm/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/CosmWasm/wasmvm/v2
github.com/CosmWasm/wasmvm/v2
Package
- Name
- github.com/CosmWasm/wasmvm/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/CosmWasm/wasmvm/v2
github.com/CosmWasm/wasmvm
Package
- Name
- github.com/CosmWasm/wasmvm
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/CosmWasm/wasmvm