GHSA-xqqc-c5gw-c5r5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xqqc-c5gw-c5r5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-xqqc-c5gw-c5r5/GHSA-xqqc-c5gw-c5r5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xqqc-c5gw-c5r5
- Aliases
- Published
- 2022-12-14T21:35:24Z
- Modified
- 2023-11-08T04:08:19.879804Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Tendermint light client verification not taking into account chain ID
- Details
-
Impact
Anyone using the
tendermint-light-clientand related packages to perform light client verification (e.g. IBC-rs, Hermes).At present, the light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client.
The attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks.
Patches
Users of the light client-related crates can currently upgrade to
v0.28.0.Workarounds
None
References
- Database specific
{ "nvd_published_at": "2022-12-15T19:15:00Z", "github_reviewed_at": "2022-12-14T21:35:24Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-347" ] }- References
Affected packages
crates.io / tendermint-light-client-verifier
Package
- Name
- tendermint-light-client-verifier
- View open source insights on deps.dev
- Purl
- pkg:cargo/tendermint-light-client-verifier
crates.io / tendermint-light-client
Package
- Name
- tendermint-light-client
- View open source insights on deps.dev
- Purl
- pkg:cargo/tendermint-light-client
crates.io / tendermint-light-client-js
Package
- Name
- tendermint-light-client-js
- View open source insights on deps.dev
- Purl
- pkg:cargo/tendermint-light-client-js