Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-22qq-3xwm-r5x4 #3442

Open
GoVulnBot opened this issue Feb 3, 2025 · 1 comment
Open

x/vulndb: potential Go vuln in github.com/cometbft/cometbft: GHSA-22qq-3xwm-r5x4 #3442

GoVulnBot opened this issue Feb 3, 2025 · 1 comment
Assignees
@tatianab
Labels
high priority triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-22qq-3xwm-r5x4 references a vulnerability in the following Go modules:

Module
github.com/cometbft/cometbft

Description:
Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync
Component: CometBFT
Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2)
Affected versions: <= v0.38.16, v1.0.0
Affected users: Validators, Full nodes

Impact

A malicious peer may be able to interfere with a node's ability to sync blocks with peers via the blocksync mechanism.

In the blocksync protocol peers send their base and latest heights when they connect to a new node (A), which is...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cometbft/cometbft
      versions:
        - fixed: 0.38.17
        - introduced: 1.0.0-alpha.1
        - fixed: 1.0.1
      vulnerable_at: 1.0.0
summary: CometBFT allows a malicious peer to make node stuck in blocksync in github.com/cometbft/cometbft
cves:
    - CVE-2025-24371
ghsas:
    - GHSA-22qq-3xwm-r5x4
references:
    - advisory: https://github.com/advisories/GHSA-22qq-3xwm-r5x4
    - advisory: https://github.com/cometbft/cometbft/security/advisories/GHSA-22qq-3xwm-r5x4
    - fix: https://github.com/cometbft/cometbft/commit/0ee80cd609c7ae9fe856bdd1c6d38553fdae90ce
    - fix: https://github.com/cometbft/cometbft/commit/2cebfde06ae5073c0b296a9d2ca6ab4b95397ea5
source:
    id: GHSA-22qq-3xwm-r5x4
    created: 2025-02-03T16:01:50.717142716Z
review_status: UNREVIEWED
@tatianab tatianab mentioned this issue Feb 4, 2025
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/646596 mentions this issue: data/reports: add 2 needs review reports

gopherbot pushed a commit that referenced this issue Feb 4, 2025
@tatianab @gopherbot
data/reports: add 2 needs review reports
1d9f679 
  - data/reports/GO-2025-3442.yaml
  - data/reports/GO-2025-3443.yaml

Updates #3442
Updates #3443

Change-Id: Ibe6157196ab26ebf3c22e512eb4cde28f9338546
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/646596
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
@tatianab tatianab self-assigned this Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot